CISM Certified Information Security Manager Practice Test Set 4

The MOST effective approach to address issues that arise between IT management, business
units and security management when implementing a new security strategy is for the information
security manager to:


Options are :

  • insist that managers or units not in agreement with the security solution accept the risk.
  • ensure that senior management provides authority for security to address the issues
  • refer the issues to senior management along with any security recommendations
  • escalate issues to an external third party for resolution

Answer : refer the issues to senior management along with any security recommendations

What is the MAIN risk when there is no user management representation on the Information
Security Steering Committee?


Options are :

  • Information security plans are not aligned with business requirements
  • Budgets allocated to business units are not appropriate
  • User training programs may be inadequate
  • Functional requirements are not adequately considered

Answer : Information security plans are not aligned with business requirements

Which of the following is a benefit of information security governance


Options are :

  • Questioning trust in vendor relationships
  • Increasing the risk of decisions based on incomplete management information
  • Reduction of the potential for civil or legal liability
  • Direct involvement of senior management in developing control processes

Answer : Reduction of the potential for civil or legal liability

CISM Information Risk Management Certification Practice

Which of the following is the BEST reason to perform a business impact analysis (BIA)?


Options are :

  • To budget appropriately for needed controls
  • To help determine the current state of risk
  • To analyze the effect on the business
  • To satisfy regulatory requirements

Answer : To help determine the current state of risk

A multinational organization operating in fifteen countries is considering implementing an
information security program. Which factor will MOST influence the design of the Information
security program?


Options are :

  • Representation by regional business leaders
  • Composition of the board
  • IT security skills
  • Cultures of the different countries

Answer : Cultures of the different countries

Effective IT governance is BEST ensured by:


Options are :

  • management by the IT department
  • utilizing a top-down approach
  • utilizing a bottom-up approach
  • referring the matter to the organization's legal department

Answer : utilizing a top-down approach

CISM Information Security Program Management Practice Exam Set 3

Which of the following BEST contributes to the development of a security governance framework
that supports the maturity model concept?


Options are :

  • Key risk indicator (KRD setup to security management processes
  • Continuous monitoring of the return on security investment (ROSD
  • Continuous analysis, monitoring and feedback
  • Continuous risk reduction

Answer : Continuous analysis, monitoring and feedback

Which of the following would be MOST helpful to achieve alignment between information security
and organization objectives?


Options are :

  • Key control monitoring
  • A security program that enables business activities
  • An effective security architecture
  • None
  • A robust security awareness program

Answer : A security program that enables business activities

Obtaining senior management support for establishing a warm site can BEST be accomplished by:


Options are :

  • promoting regulatory requirements.
  • developing a business case.
  • developing effective metrics.
  • establishing a periodic risk assessment

Answer : developing a business case.

CISM Information Security Program Management

Which of the following will BEST protect an organization from internal security attacks?


Options are :

  • Internal address translation
  • Employee awareness certification program
  • Prospective employee background checks
  • Static IP addressing

Answer : Prospective employee background checks

Phishing is BEST mitigated by which of the following?


Options are :

  • User awareness
  • Encryption
  • Security monitoring software
  • Two-factor authentication

Answer : User awareness

CISM Information Risk Management Certification

The valuation of IT assets should be performed by:


Options are :

  • an independent security consultant
  • the information owner
  • an IT security manager
  • the chief financial officer (CFO).

Answer : the information owner

The PRIMARY goal of a corporate risk management program is to ensure that an organization's


Options are :

  • IT facilities and systems are always available
  • IT assets in key business functions are protected
  • business risks are addressed by preventive controls
  • stated objectives are achievable

Answer : stated objectives are achievable

Identification and prioritization of business risk enables project managers to:


Options are :

  • accelerate completion of critical paths
  • address areas with most significance
  • establish implementation milestones.
  • reduce the overall amount of slack time

Answer : address areas with most significance

CISM Information Risk Management Certification

The MOST important function of a risk management program is to:


Options are :

  • quantify overall risk.
  • maximize the sum of all annualized loss expectancies (ALEs).
  • eliminate inherent risk.
  • minimize residual risk.

Answer : minimize residual risk.

The recovery time objective (RTO) is reached at which of the following milestones?


Options are :

  • Recovery of the backups
  • Return to business as usual processing
  • Disaster declaration
  • Restoration of the system

Answer : Restoration of the system

Risk management programs are designed to reduce risk to:


Options are :

  • a level that the organization is willing to accept.
  • the point at which the benefit exceeds the expense
  • a rate of return that equals the current cost of capital.
  • a level that is too small to be measurable.

Answer : a level that the organization is willing to accept.

CISM Information Security Program Management Practice Exam Set 3

Which two components PRIMARILY must be assessed in an effective risk analysis?


Options are :

  • Financial impact and duration
  • Visibility and duration
  • Probability and frequency
  • Likelihood and impact

Answer : Likelihood and impact

The PRIMARY benefit of performing an information asset classification is to:


Options are :

  • establish ownership.
  • link security requirements to business objectives.
  • identify controls commensurate to risk.
  • define access rights

Answer : identify controls commensurate to risk.

After completing a full IT risk assessment, who can BEST decide which mitigating controls should
be implemented?


Options are :

  • Business manager
  • Senior management
  • IT audit manager
  • Information security officer (ISO)

Answer : Business manager

CISM Information Security Program Management Test

Information security managers should use risk assessment techniques to:


Options are :

  • justify selection of risk mitigation strategies
  • maximize the return on investment (ROD.
  • provide documentation for auditors and regulators
  • quantify risks that would otherwise be subjective

Answer : justify selection of risk mitigation strategies

Based on the information provided, which of the following situations presents the GREATEST
information security risk for an organization with multiple, but small, domestic processing
locations?


Options are :

  • Systems development is outsourced
  • Systems capacity management is not performed
  • Systems operation procedures are not enforced
  • Change management procedures are poor

Answer : Change management procedures are poor

It is important to classify and determine relative sensitivity of assets to ensure that:


Options are :

  • highly sensitive assets are protected.
  • cost of protection is in proportion to sensitivity
  • cost of controls is minimized.
  • countermeasures are proportional to risk.

Answer : countermeasures are proportional to risk.

CISM Information Security Program Management Practice

Who would be in the BEST position to determine the recovery point objective (RPO) for business
applications?


Options are :

  • Chief operations officer (COO)
  • Information security manager
  • Business continuity coordinator
  • Internal audit

Answer : Chief operations officer (COO)

The decision on whether new risks should fall under periodic or event-driven reporting should be
based on which of the following?


Options are :

  • Likelihood of occurrence
  • Incident frequency
  • Visibility of impact
  • Mitigating controls

Answer : Visibility of impact

Which of the following is MOST essential for a risk management program to be effective?


Options are :

  • New risks detection
  • Flexible security budget
  • Accurate risk reporting
  • Sound risk baseline

Answer : New risks detection

CISM Information Risk Management Certification Practice

Which of the following groups would be in the BEST position to perform a risk analysis for a
business?


Options are :

  • A specialized management consultant
  • Process owners
  • External auditors
  • A peer group within a similar business

Answer : Process owners

risk assessment should be conducted:


Options are :

  • annually or whenever there is a significant change
  • once a year for each business process and subprocess.
  • every three to six months for critical business processes.
  • by external parties to maintain objectivity

Answer : annually or whenever there is a significant change

A business impact analysis (BIA) is the BEST tool for calculating:


Options are :

  • residual risk.
  • total cost of ownership.
  • annualized loss expectancy (ALE).
  • priority of restoration

Answer : priority of restoration

CISM Information Security Governance Certified Test

When residual risk is minimized:


Options are :

  • risk is transferable
  • acceptable risk is probable.
  • transferred risk is acceptable.
  • control risk is reduced.

Answer : acceptable risk is probable.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions