Adobe certification Adobe
Apple certification Apple
Avaya certification Avaya
Check Point certification Check Point
Cisco certification Cisco
Citrix certification Citrix
CIW certification CIW
CompTIA certification CompTIA
CWNP certification CWNP
EC-Council certification EC-Council
EMC certification EMC
Exin certification Exin
F5 certification F5
Fortinet certification Fortinet
GIAC certification GIAC
Hitachi certification Hitachi
HP certification HP
IBM certification IBM
Isaca certification Isaca
ISC certification ISC
ISEB certification ISEB
Juniper certification Juniper
LPI certification LPI
Microsoft certification Microsoft
Oracle certification Oracle
PMI certification PMI
Riverbed certification Riverbed
SAP certification SAP
Sun certification Sun
Sybase certification Sybase
Symantec certification Symantec
VMware certification VMware
All Exams

Isaca CISM Exam -

Free CISM Sample Questions:

1. Rental of time by one enterprise of another enterprise's computer for use by the renter organization's personnel is called ____________ usage.
A.) timesharing
B.) service bureau
C.) remote batch
D.) block time

Answer: D
The System Development Life Cycle (SDLC) Feasibility Report assists management in determining to proceed with the implementation of a new or improved system. During evaluation of alternative system configurations, management should consider the feasibility of outsourcing. Outsource computer processing maybe block time, remote batch, timesharing, or service bureau. Rental of time by one enterprise of another enterprise's computer for use by the renter organization's personnel is called block time usage; hence, this is the correct answer.Remote batch is an incorrect answer because processing is restricted to batch mode with the enterprise maintaining minimal input and output hardware. Timesharing is an incorrect answer because it appears that the enterprise is the sole user though multiple users are sharing computer resources. Lastly, service bureau is an incorrect answer because, by definition, the enterprise is leasing a wide range of information processing capabilities.

2. Which of the following should be included in a Continuity Plan?
A.) A list of all employees
B.) None of the choices listed
C.) Training dates
D.) Fax systems

Answer: D
The fax system within an organization is a critical part of modern office automation. Furthermore, fax systems provide communications in a reduced time frame compared to postal services. Therefore, fax systems should be included in an organization's continuity plan.Continuity plans should list key personnel of the organization. The key personnel selected in turn should have responsibility for selected personnel. Thus, a list of all employees is an incorrect answer.In addition, training dates is an incorrect answer because it is a human resources/management scheduling issue.

3. The JAD acronym represents:
A.) Java Application Design.
B.) Joint Asynchronous Development.
C.) Joint Asynchronous Design.
D.) Joint Application Development.

Answer: D
International Business Machine (IBM) personnel developed Joint Application Development (JAD) to improve the quality of the system requirements and specifications. JAD is the acronym for Joint Application Development. Therefore, Joint Asynchronous Design, Joint Asynchronous Development, and Java Application Design are the incorrect answers.

4. What is the major difference between RAID Level 1 and RAID Level 3?
A.) Data parity
B.) Fault tolerance
C.) CPU utilization
D.) I/O performance

Answer: A
A Redundant Array of Independent Disks (RAID) improves system performance and can provide data reliability. RAID Level 1 and RAID Level 3 use disk mirroring to implement fault tolerance, however, RAID Level 3 uses an additional drive dedicated to maintaining parity information. Therefore, data parity is the correct answer.Though RAID Level 3 has a higher Input/Output (I/O) performance rate, as compared to RAID Level 1, it is not the most significant difference; therefore this answer is incorrect. Fault tolerance is an incorrect answer because RAID Level 1 and RAID Level 3 have similar capabilities in this area. In addition, Central Processing Unit (CPU) utilization is an incorrect answer because it is an operating system issue.

5. A system that performs penetration testing with the objective of obtaining unauthorized information residing inside a computer is:
A.) van Eck phreaking.
B.) biometrician.
C.) phreaking.
D.) port scanning.

Answer: D
Port scanning "identifies open doors to a computer." Computer crackers and hackers can use this technique to obtain unauthorized information. Thus, port scanning is the correct answer. Van Eck phreaking is an incorrect answer because it is described as "a form of eavesdropping in which special equipment is used to pick up telecommunication signals or data within a computer device by monitoring and picking up the electromagnetic fields (EM fields) that are produced by the signals or movement of the data." Biometrician is an incorrect answer because it is defined as a system using a physical attribute for authenticating only authorized users are provided access to a network or application. In addition, Phreaking is an incorrect answer because it is defined as a special device designed to deceive telephone systems concerning a caller’s identity.

6. An allocated Internet HTTP port is:
A.) 110.
B.) 161.
C.) 21.
D.) 80.

Answer: D
Information Technology protocols have a special set of rules for connecting to telecommunications end points. Hyper Text Transfer Protocol (HTTP) is utilized for formatting, transmitting, and determining "what actions Web servers and browsers should take in response to various commands." Port 80 is usually allocated for HTTP; therefore, this is the correct answer. Ports 21, 110, and 161, are allocated for File Transfer Protocol, Post Office Protocol 3, and Simple Network Management Protocol, respectively. Thus, these ports are incorrect answers because they are not normally used for HTTP.

7. Which of the following is not an encapsulating protocol?
B.) IPSec
C.) L2F
D.) NetBeui

Answer: D
A carrier protocol is required in order to provide tunneling on a Virtual Private Network. Network Basic Input Output System Extended User Interface (NetBeui) is one of the carrier protocols used to transport original data; thus, NetBeui is the correct answer.Generic Routing Encapsulation (GRE), Internet Packet Exchange (IPSec), and Layer2Forwarding (L2F) are incorrect answers because they are encapsulating protocols.

8. Which of the following is an IT management policy issue?
A.) Risk assessment
B.) Control environment
C.) All of the choices listed
D.) Information and communication

Answer: C
A system for disseminating Information Technology (IT) management's objectives is considered fundamental to good business practices. IT management's role in policy formulation includes the control environment, risk assessment, as well as information and communication. Thus, the correct answer is all of the choices listed.

9. Computer bus arbitration's slowest signaling methodology when gaining network access is:
C.) Token Passing.

Answer: A
A Network Interface Card (NIC) determines the standard signaling methodology for obtaining access to a network bus. "Carrier-sense multiple access (CSMA) is a medium access control technique for multiple-access transmission media. A station wishing to transmit first senses the medium and transmits only if the medium is idle." Whereas; CSMA/Collusion Avoidance (CA) provides an avoidance mechanism which increases transmission processing time. Thus, CSMA/CA is the correct answer.CSMA/CD, Token Passing, and CSMA are incorrect answers because these techniques do not wait until a transmission line is clear before sending a message.

10. Which of the following phases of a SDLC should IT management verify that a new system information adheres to security principles and strategies?
A.) Implementation
B.) Testing
C.) Functional Specifications
D.) Conceptual

Answer: D
According to Peter H. Gregory, CISSP, CISA, a typical System Development Life Cycle (SDLC) includes conceptual definition, functional requirements and specifications, technical requirements and specifications, design, coding, test, and implementation phases. In addition, he states that information security principles and strategies are implemented during the conceptual phase. Testing, functional specifications, and implementation phases are incorrect answers because these call for verification of each information security requirement, determination of information security requirements, and procedures for integrating existing security measures during a SDLC, respectively.