CISM Certified Information Security Manager Practice Test Set 1

Logging is an example of which type of defense against systems compromise?


Options are :

  • Detection
  • Reaction
  • Containment
  • Recovery

Answer : Detection

CISM Information Security Program Management Test

From an information security manager perspective, what is the immediate benefit of clearlydefined
roles and responsibilities?



Options are :

  • Enhanced policy compliance
  • Segregation of duties
  • Improved procedure flows
  • Better accountability

Answer : Better accountability

A new regulation for safeguarding information processed by a specific type of transaction has
come to the attention of an information security officer. The officer should FIRST:


Options are :

  • update the existing security/privacy policy
  • analyze key risks in the compliance process.
  • assess whether existing controls meet the regulation
  • meet with stakeholders to decide how to comply.

Answer : assess whether existing controls meet the regulation

Which of the following is responsible for legal and regulatory liability?


Options are :

  • Information security steering group
  • Chief security officer (CSO)
  • Board and senior management
  • Chief legal counsel (CLC)

Answer : Board and senior management

CISM Information Security Program Management Practice Exam Set 1

Which of the following is the MOST important prerequisite for establishing information security
management within an organization?


Options are :

  • Information security policy
  • Senior management commitment
  • Information security organizational structure
  • Information security framework

Answer : Senior management commitment

Temporarily deactivating some monitoring processes, even if supported by an acceptance of
operational risk, may not be acceptable to the information security manager if:


Options are :

  • changes in the roles matrix cannot be detected
  • it violates industry security practices
  • short-term impact cannot be determined.
  • it implies compliance risks.

Answer : it implies compliance risks.

Which of the following factors is a PRIMARY driver for information security governance that does
not require any further justification?


Options are :

  • Alignment with industry best practices
  • Regulatory compliance
  • Business continuity investment
  • Business benefits

Answer : Regulatory compliance

CISM Certified Information Security Manager Practice Test Set 5

To justify its ongoing security budget, which of the following would be of MOST use to the
information security' department?


Options are :

  • Peer group comparison
  • Annualized loss expectancy (ALE)
  • Security breach frequency
  • Cost-benefit analysis

Answer : Cost-benefit analysis

A security manager meeting the requirements for the international flow of personal data will need
to ensure:


Options are :

  • subject access procedures
  • the agreement of the data subjects.
  • a data protection registration.
  • a data processing agreement.

Answer : the agreement of the data subjects.

Which of the following situations would MOST inhibit the effective implementation of security
governance:


Options are :

  • Budgetary constraints
  • The complexity of technology
  • Conflicting business priorities
  • High-level sponsorship

Answer : High-level sponsorship

The PRIMARY objective of a security steering group is to:


Options are :

  • implement all decisions on security management across the organization
  • raise information security awareness across the organization
  • ensure information security aligns with business goals.
  • ensure information security covers all business functions.

Answer : ensure information security aligns with business goals.

An outcome of effective security governance is:


Options are :

  • risk assessment
  • planning.
  • business dependency assessment
  • strategic alignment.

Answer : strategic alignment.

Who in an organization has the responsibility for classifying information?


Options are :

  • Data owner
  • Data custodian
  • Database administrator
  • Information security officer

Answer : Data owner

CISM Information Security Governance Certification Test

What would be the MOST significant security risks when using wireless local area network (LAN)
technology?


Options are :

  • Spoofing of data packets
  • Man-in-the-middle attack
  • Session hijacking
  • Rogue access point

Answer : Rogue access point

What is the PRIMARY role of the information security manager in the process of information classification within an organization?


Options are :

  • Deciding the classification levels applied to the organization's information assets
  • Securing information assets in accordance with their classification
  • Defining and ratifying the classification structure of information assets
  • Checking if information assets have been classified properly

Answer : Defining and ratifying the classification structure of information assets

An organization's information security processes are currently defined as ad hoc. In seeking to
improve their performance level, the next step for the organization should be to:


Options are :

  • enforce baseline security levels across the organization.
  • ensure that security processes are fully documented
  • ensure that security processes are consistent across the organization
  • implement monitoring of key performance indicators for security processes

Answer : ensure that security processes are consistent across the organization

CISM Information Security Program Management Practice Exam Set 2

When personal information is transmitted across networks, there MUST be adequate controls
over:


Options are :

  • privacy protection.
  • encryption devices.
  • change management
  • consent to data transfer

Answer : privacy protection.

A good privacy statement should include:


Options are :

  • notification that information will be encrypted.
  • a description of the information classification process
  • what the company will do with information it collects
  • notification of liability on accuracy of information.

Answer : what the company will do with information it collects

When designing an information security quarterly report to management, the MOST important
element to be considered should be the:


Options are :

  • linkage to business area objectives
  • information security metrics.
  • knowledge required to analyze each issue
  • baseline against which metrics are evaluated.

Answer : linkage to business area objectives

CISM Information Security Governance Certification

Which of the following would be MOST effective in successfully implementing restrictive password
policies?


Options are :

  • Security awareness program
  • Single sign-on system
  • Penalties for noncompliance
  • Regular password audits

Answer : Security awareness program

Information security policy enforcement is the responsibility of the:


Options are :

  • security steering committee.
  • chief information security officer (CISO).
  • chief compliance officer (CCO).
  • chief information officer (CIO).

Answer : chief information security officer (CISO).

A security manager is preparing a report to obtain the commitment of executive management to a
security program. Inclusion of which of the following would be of MOST value?


Options are :

  • Associating realistic threats to corporate objectives
  • Analysis of current technological exposures
  • Examples of genuine incidents at similar organizations
  • Statement of generally accepted best practices

Answer : Associating realistic threats to corporate objectives

Which of the following is the MOST important to keep in mind when assessing the value of
information?


Options are :

  • The cost of insurance coverage
  • The cost of recreating the information
  • The potential financial loss
  • Regulatory requirement

Answer : The potential financial loss

The MOST basic requirement for an information security governance program is to:


Options are :

  • be based on a sound risk management approach.
  • provide adequate regulatory compliance
  • be aligned with the corporate business strategy.
  • provide best practices for security- initiatives

Answer : be aligned with the corporate business strategy.

The MOST useful way to describe the objectives in the information security strategy is through:


Options are :

  • calculation of annual loss expectations
  • mapping the IT systems to key business processes
  • overall control objectives of the security program
  • attributes and characteristics of the 'desired state."

Answer : attributes and characteristics of the 'desired state."

CISM Information Security Governance Practice Test Set 3

Reviewing which of the following would BEST ensure that security controls are effective?


Options are :

  • Risk assessment policies
  • User access rights
  • Security metrics
  • Return on security investment

Answer : Security metrics

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?


Options are :

  • Return on security investment report
  • Security metrics reports
  • Risk assessment reports
  • Business impact analysis (BIA)

Answer : Risk assessment reports

To achieve effective strategic alignment of security initiatives, it is important that:


Options are :

  • Procedures and standards be approved by all departmental heads.
  • Inputs be obtained and consensus achieved between the major organizational units.
  • The business strategy be updated periodically
  • Steering committee leadership be selected by rotation.

Answer : Inputs be obtained and consensus achieved between the major organizational units.

CISM Information Risk Management Certification

When an organization is setting up a relationship with a third-party IT service provider, which of
the following is one of the MOST important topics to include in the contract from a security
standpoint?


Options are :

  • Use of a two-factor authentication system.
  • Existence of an alternate hot site in case of business disruption.
  • Compliance with international security standards.
  • Compliance with the organization's information security requirements

Answer : Compliance with the organization's information security requirements

At what stage of the applications development process should the security department initially
become involved?


Options are :

  • At detail requirements
  • At testing
  • At programming
  • When requested

Answer : At detail requirements

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions