CISM Certified Information Security Manager Practice Test Set 3

On a company's e-commerce web site, a good legal statement regarding data privacy should
include:


Options are :

  • technical information regarding how information is protected.
  • a statement regarding where the information is being hosted.
  • a statement regarding what the company will do with the information it collects
  • a disclaimer regarding the accuracy of information on its web site.

Answer : a statement regarding what the company will do with the information it collects

The MOST complete business case for security solutions is one that.


Options are :

  • explains the current risk profile.
  • identifies incidents and losses
  • includes appropriate justification
  • details regulatory requirements.

Answer : includes appropriate justification

The FIRST step in establishing a security governance program is to:


Options are :

  • conduct a risk assessment
  • conduct a workshop for all end users.
  • obtain high-level sponsorship.
  • prepare a security budget.

Answer : obtain high-level sponsorship.

CISM Certified Information Security Manager Practice Test Set 7

When an organization is implementing an information security governance program, its board of
directors should be responsible for:


Options are :

  • auditing for compliance
  • reviewing training and awareness programs
  • drafting information security policies
  • setting the strategic direction of the program

Answer : setting the strategic direction of the program

Which of the following is the MOST important element of an information security strategy?


Options are :

  • Time frames for delivery
  • Complete policies
  • Defined objectives
  • Adoption of a control framework

Answer : Defined objectives

Which of the following would be the BEST option to improve accountability for a system
administrator who has security functions?


Options are :

  • None
  • Require the administrator to obtain security certification
  • Train the system administrator on penetration testing and vulnerability assessment
  • Include security responsibilities in the job description
  • Train the system administrator on risk assessment

Answer : Include security responsibilities in the job description

CISM Information Risk Management Certification Practice Test

A risk assessment and business impact analysis (BIA) have been completed for a major proposed
purchase and new process for an organization. There is disagreement between the information
security manager and the business department manager who will own the process regarding the
results and the assigned risk. Which of the following would be the BES T approach of the
information security manager?


Options are :

  • A new risk assessment and BIA are needed to resolve the disagreement
  • Review of the assessment with executive management for final input
  • Acceptance of the business manager's decision on the risk to the corporation
  • Acceptance of the information security manager's decision on the risk to the corporation

Answer : Review of the assessment with executive management for final input

From an information security perspective, information that no longer supports the main purpose of
the business should be:


Options are :

  • protected under the information classification policy.
  • analyzed under the retention policy
  • analyzed under the backup policy.
  • protected under the business impact analysis (BIA).

Answer : analyzed under the retention policy

Which of the following is the BEST method or technique to ensure the effective implementation of
an information security program?


Options are :

  • Implement logical access controls to the information systems
  • Improve the employees' knowledge of security policies
  • Obtain the support of the board of directors
  • Improve the content of the information security awareness program

Answer : Obtain the support of the board of directors

CISM Information Security Governance Certified Practice Exam

A risk management program should reduce risk to:


Options are :

  • zero.
  • an acceptable percent of revenue
  • an acceptable level.
  • an acceptable probability of occurrence

Answer : an acceptable level.

For risk management purposes, the value of an asset should be based on:


Options are :

  • original cost.
  • net cash flow.
  • replacement cost.
  • net present value.

Answer : replacement cost.

Information security should be:


Options are :

  • defined by the board of directors.
  • a balance between technical and business requirements.
  • driven by regulatory requirements.
  • focused on eliminating all risks

Answer : a balance between technical and business requirements.

CISM Information Security Governance Certified

The MOST important factor in ensuring the success of an information security program is effective


Options are :

  • communication of information security requirements to all users in the organization
  • formulation of policies and procedures for information security.
  • alignment with organizational goals and objectives .
  • monitoring compliance with information security policies and procedures

Answer : alignment with organizational goals and objectives .

The value of information assets is BEST determined by:


Options are :

  • industry averages benchmarking
  • individual business managers
  • business systems analysts
  • information security management

Answer : individual business managers

The organization has decided to outsource the majority of the IT department with a vendor that is
hosting servers in a foreign country. Of the following, which is the MOST critical security
consideration?


Options are :

  • Additional network intrusion detection sensors should be installed, resulting in an additional cost.
  • The company could lose physical control over the server and be unable to monitor the physical security posture of the servers
  • A security breach notification might get delayed due to the time difference.
  • Laws and regulations of the country of origin may not be enforceable in the foreign country.

Answer : Laws and regulations of the country of origin may not be enforceable in the foreign country.

CISM Information Security Program Management Practice Exam Set 5

An information security manager must understand the relationship between information security
and business operations in order to:


Options are :

  • support organizational objectives.
  • determine likely areas of noncompliance.
  • assess the possible impacts of compromise
  • understand the threats to the business

Answer : support organizational objectives.

Which of the following is the BEST justification to convince management to invest in an
information security program?


Options are :

  • Increased business value
  • Protection of business assets
  • Compliance with company policies
  • Cost reduction

Answer : Increased business value

Which of the following BEST indicates a successful risk management practice?


Options are :

  • Residual risk is minimized
  • Overall risk is quantified
  • Inherent risk is eliminated
  • Control risk is tied to business units

Answer : Residual risk is minimized

CISM Information Risk Management Certification Practice Exam

Which of the following would help to change an organization's security culture?


Options are :

  • Develop procedures to enforce the information security policy
  • Implement strict technical security controls
  • Periodically audit compliance with the information security policy
  • Obtain strong management support

Answer : Obtain strong management support

Which of the following should be determined while defining risk management strategies?


Options are :

  • Enterprise disaster recovery plans
  • IT architecture complexity
  • Risk assessment criteria
  • Organizational objectives and risk appetite

Answer : Organizational objectives and risk appetite

In a business impact analysis, the value of an information system should be based on the overall
cost:


Options are :

  • of emergency operations
  • of recovery
  • if unavailable
  • to recreate.

Answer : if unavailable

CISM Information Security Program Management Test

A risk mitigation report would include recommendations for


Options are :

  • assessment.
  • evaluation
  • quantification.
  • acceptance

Answer : acceptance

The FIRST step to create an internal culture that focuses on information security is to:


Options are :

  • gain the endorsement of executive management
  • implement stronger controls.
  • actively monitor operations
  • conduct periodic awareness training.

Answer : gain the endorsement of executive management

A successful information security management program should use which of the following to
determine the amount of resources devoted to mitigating exposures?


Options are :

  • Amount of IT budget available
  • Audit report findings
  • Risk analysis results
  • Penetration test results

Answer : Risk analysis results

CISM Information Security Program Management Practice Exam Set 1

Which of the following should be included in an annual information security budget that is
submitted for management approval?


Options are :

  • Total cost of ownership (TC'O)
  • A cost-benefit analysis of budgeted resources
  • All of the resources that are recommended by the business
  • Baseline comparisons

Answer : A cost-benefit analysis of budgeted resources

Acceptable risk is achieved when:


Options are :

  • inherent risk is minimized.
  • control risk is minimized
  • residual risk is minimized
  • transferred risk is minimized.

Answer : residual risk is minimized

When implementing effective security governance within the requirements of the company's
security strategy, which of the following is the MOST important factor to consider?


Options are :

  • Establishing system manager responsibility for information security
  • Preserving the confidentiality of sensitive data
  • Establishing international security standards for data sharing
  • Adhering to corporate privacy standards

Answer : Preserving the confidentiality of sensitive data

CISM Information Security Program Management Practice Exam

Who is responsible for ensuring that information is categorized and that specific protective
measures are taken?


Options are :

  • The security officer
  • The custodian
  • The end user
  • Senior management

Answer : Senior management

An organization's board of directors has learned of recent legislation requiring organizations within
the industry to enact specific safeguards to protect confidential customer information. What actions
should the board take next?


Options are :

  • Research solutions to determine the proper solutions
  • Require management to report on compliance
  • Direct information security on what they need to do
  • Nothing; information security does not report to the board

Answer : Require management to report on compliance

What is the MOST important factor in the successful implementation of an enterprise wide
information security program?


Options are :

  • Realistic budget estimates
  • Support of senior management
  • Recalculation of the work factor
  • Security awareness

Answer : Support of senior management

CISM Incident Management Response Certified Practice Exam Set 2

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions