CISM Certified Information Security Manager Practice Test Set 2

What will have the HIGHEST impact on standard information security governance models?


Options are :

  • Organizational budget
  • Complexity of organizational structure (Correct)
  • Distance between physical locations
  • Number of employees

Answer : Complexity of organizational structure

CISM Information Risk Management Certification

The MOST important characteristic of good security policies is that they:


Options are :

  • state expectations of IT management
  • govern the creation of procedures and guidelines
  • state only one general security mandate
  • are aligned with organizational goals. (Correct)

Answer : are aligned with organizational goals.

When developing an information security program, what is the MOST useful source of information
for determining available resources?


Options are :

  • Proficiency test
  • Skills inventory (Correct)
  • Organization chart
  • Job descriptions

Answer : Skills inventory

In implementing information security governance, the information security manager is PRIMARILY


Options are :

  • developing the security strategy (Correct)
  • reviewing the security strategy
  • communicating the security strategy
  • approving the security strategy

Answer : developing the security strategy

CISM Certified Information Security Manager Test

What would a security manager PRIMARILY utilize when proposing the implementation of a
security solution?


Options are :

  • Technical evaluation report
  • Business case (Correct)
  • Budgetary requirements
  • Risk assessment report

Answer : Business case

An information security strategy document that includes specific links to an organization's
business activities is PRIMARILY an indicator of:


Options are :

  • value delivery.
  • alignment. (Correct)
  • integration.
  • performance measurement.

Answer : alignment.

In order to highlight to management the importance of network security, the security manager
should FIRST:


Options are :

  • conduct a risk assessment (Correct)
  • install a network intrusion detection system (NIDS) and prepare a list of attacks.
  • develop a network security policy
  • develop a security architecture

Answer : conduct a risk assessment

CISM Information Security Governance Certified

The FIRST step in developing an information security management program is to:


Options are :

  • identify business risks that affect the organization
  • assign responsibility for the program.
  • clarify organizational purpose for creating the program. (Correct)
  • assess adequacy of controls to mitigate business risks.

Answer : clarify organizational purpose for creating the program.

Which of the following is MOST important in developing a security strategy?


Options are :

  • Creating a positive business security environment
  • Understanding key business objectives (Correct)
  • Having a reporting line to senior management
  • Allocating sufficient resources to information security

Answer : Understanding key business objectives

To justify the need to invest in a forensic analysis tool, an information security manager should
FIRST:


Options are :

  • provide examples of situations where such a tool would be useful
  • review comparison reports of tool implementation in peer companies.
  • substantiate the investment in meeting organizational needs. (Correct)
  • review the functionalities and implementation requirements of the solution.

Answer : substantiate the investment in meeting organizational needs.

Cism Information Security Program Development Practice Exam

An information security manager mapping a job description to types of data access is MOST likely
to adhere to which of the following information security principles?


Options are :

  • Ethics
  • Accountability
  • Proportionality (Correct)
  • Integration

Answer : Proportionality

How would an information security manager balance the potentially conflicting requirements of an
international organization's security standards and local regulation?


Options are :

  • Negotiate a local version of the organization standards (Correct)
  • Give organization standards preference over local regulations
  • Make the organization aware of those standards where local regulations causes conflicts
  • Follow local regulations only

Answer : Negotiate a local version of the organization standards

An information security manager at a global organization has to ensure that the local information
security program will initially ensure compliance with the:


Options are :

  • data privacy policy of the headquarters' country
  • data privacy policy where data are collected (Correct)
  • data privacy directive applicable globally
  • corporate data privacy policy.

Answer : data privacy policy where data are collected

CISM Information Risk Management Certification

Who should drive the risk analysis for an organization?


Options are :

  • Security manager (Correct)
  • Senior management
  • Quality manager
  • Legal department

Answer : Security manager

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and
availability of the transaction. This is an example of an information security:


Options are :

  • policy. (Correct)
  • strategy.
  • procedure.
  • baseline.

Answer : policy.

Who is ultimately responsible for the organization's information?


Options are :

  • Chief information officer (CIO)
  • Data custodian
  • Chief information security officer (CISO)
  • Board of directors (Correct)

Answer : Board of directors

CISM Information Security Program Management Practice Exam Set 5

In order to highlight to management the importance of integrating information security in the
business processes, a newly hired information security officer should FIRST:


Options are :

  • prepare a security budget.
  • develop an information security policy
  • obtain benchmarking information.
  • conduct a risk assessment. (Correct)

Answer : conduct a risk assessment.

While implementing information security governance an organization should FIRST:


Options are :

  • define the security strategy. (Correct)
  • establish security policies.
  • determine security baselines
  • adopt security standards

Answer : define the security strategy.

The PRIMARY concern of an information security manager documenting a formal data retention
policy would be:


Options are :

  • business requirements (Correct)
  • legislative and regulatory requirements
  • storage availability.
  • generally accepted industry best practices.

Answer : business requirements

CISM Incident Management and Response Practice

When developing incident response procedures involving servers hosting critical applications,
which of the following should be the FIRST to be notified?


Options are :

  • Business management
  • System users
  • Operations manager
  • Information security manager (Correct)

Answer : Information security manager

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:


Options are :

  • return on investment (ROD.
  • a vulnerability assessment
  • annual loss expectancy (ALE).
  • a business case (Correct)

Answer : a business case

CISM Information Risk Management Certification

Which of the following is MOST important to understand when developing a meaningful
information security strategy?


Options are :

  • Regulatory environment
  • Organizational goals (Correct)
  • International security standards
  • Organizational risks

Answer : Organizational goals

The MAIN reason for having the Information Security Steering Committee review a new security
controls implementation plan is to ensure that


Options are :

  • departmental budgets are allocated appropriately to pay for the plan.
  • regulatory oversight requirements are met.
  • the impact of the plan on the business units is reduced
  • the plan aligns with the organization's business plan. (Correct)

Answer : the plan aligns with the organization's business plan.

An IS manager has decided to implement a security system to monitor access to the Internet and
prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk
with complaints of being unable to perform business functions on Internet sites. This is an example
of:


Options are :

  • conflicting security controls with organizational needs. (Correct)
  • proving information security's protective abilities
  • strong protection of information resources
  • implementing appropriate controls to reduce risk.

Answer : conflicting security controls with organizational needs.

CISM Information Security Program Management Practice Exam Set 2

An organization's information security strategy should be based on:


Options are :

  • avoiding occurrence of risks so that insurance is not required.
  • managing risk relative to business objectives (Correct)
  • transferring most risks to insurers and saving on control costs
  • managing risk to a zero level and minimizing insurance premiums

Answer : managing risk relative to business objectives

Which of the following is an advantage of a centralized information security organizational
structure?


Options are :

  • It is easier to manage and control. (Correct)
  • It is more responsive to business unit needs
  • It is easier to promote security awareness.
  • It provides a faster turnaround for security requests.

Answer : It is easier to manage and control.

Which of the following would generally have the GREATEST negative impact on an organization?


Options are :

  • Interruption of utility services
  • Loss of customer confidence (Correct)
  • Internal fraud resulting in monetary loss
  • Theft of computer software

Answer : Loss of customer confidence

CISM Information Security Program Management Practice

Investment in security technology and processes should be based on:


Options are :

  • safeguards that are inherent in existing technology.
  • clear alignment with the goals and objectives of the organization (Correct)
  • best business practices
  • success cases that have been experienced in previous projects

Answer : clear alignment with the goals and objectives of the organization

The MOST important reason for conducting periodic risk assessments is because


Options are :

  • reviewers can optimize and reduce the cost of controls.
  • security risks are subject to frequent change. (Correct)
  • risk assessments are not always precise
  • it demonstrates to senior management that the security function can add value.

Answer : security risks are subject to frequent change.

The data access requirements for an application should be determined by the:


Options are :

  • compliance officer
  • legal department
  • business owner. (Correct)
  • information security manager

Answer : business owner.

CISM Certified Information Security Manager Test Practice

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions