CISM Information Security Governance Certification Test

Which of the following situations would MOST inhibit the effective implementation of security governance:

Options are :

  • High-level sponsorship (Correct)
  • Budgetary constraints
  • The complexity of technology
  • Conflicting business priorities

Answer : High-level sponsorship

CISM Information Risk Management Certification Practice

Logging is an example of which type of defense against systems compromise?

Options are :

  • Detection (Correct)
  • Recovery
  • Containment
  • Reaction

Answer : Detection

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

Options are :

  • Compliance with international security standards.
  • Existence of an alternate hot site in case of business disruption.
  • Compliance with the organization's information security requirements (Correct)
  • Use of a two-factor authentication system

Answer : Compliance with the organization's information security requirements

The MOST important characteristic of good security policies is that they:

Options are :

  • are aligned with organizational goals. (Correct)
  • govern the creation of procedures and guidelines.
  • state expectations of IT management
  • state only one general security mandate.

Answer : are aligned with organizational goals.

CISM Information Risk Management Certification Practice

When developing an information security program, what is the MOST useful source of information for determining available resources?

Options are :

  • Organization chart
  • Proficiency test
  • Skills inventory (Correct)
  • Job descriptions

Answer : Skills inventory

To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?

Options are :

  • Cost-benefit analysis (Correct)
  • Security breach frequency
  • Peer group comparison
  • Annualized loss expectancy (ALE)

Answer : Cost-benefit analysis

Who is ultimately responsible for the organization's information?

Options are :

  • Data custodian
  • Chief information officer (CIO)
  • Board of directors (Correct)
  • Chief information security officer (CISO)

Answer : Board of directors

CISM Information Risk Management Certification

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?

Options are :

  • Follow local regulations only
  • Negotiate a local version of the organization standards (Correct)
  • Make the organization aware of those standards where local regulations causes conflicts
  • Give organization standards preference over local regulations

Answer : Negotiate a local version of the organization standards

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

Options are :

  • Require the administrator to obtain security certification
  • Train the system administrator on risk assessment
  • Train the system administrator on penetration testing and vulnerability assessment
  • Include security responsibilities in the job description (Correct)

Answer : Include security responsibilities in the job description

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

Options are :

  • Budgetary requirements
  • Technical evaluation report
  • Business case (Correct)
  • Risk assessment report

Answer : Business case

Cism Information Security Program Development Practice Exam

An information security manager must understand the relationship between information security and business operations in order to:

Options are :

  • understand the threats to the business.
  • determine likely areas of noncompliance.
  • assess the possible impacts of compromise.
  • support organizational objectives. (Correct)

Answer : support organizational objectives.

Which of the following is the MOST important to keep in mind when assessing the value of information?

Options are :

  • The potential financial loss (Correct)
  • The cost of insurance coverage
  • Regulatory requirement
  • The cost of recreating the information

Answer : The potential financial loss

An outcome of effective security governance is:

Options are :

  • business dependency assessment
  • strategic alignment. (Correct)
  • risk assessment.
  • planning.

Answer : strategic alignment.

CISM Information Risk Management Certification Practice

Which of the following is the MOST important element of an information security strategy?

Options are :

  • Adoption of a control framework
  • Complete policies
  • Time frames for delivery
  • Defined objectives (Correct)

Answer : Defined objectives

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

Options are :

  • refer the issues to senior management along with any security recommendations. (Correct)
  • ensure that senior management provides authority for security to address the issues.
  • insist that managers or units not in agreement with the security solution accept the risk.
  • escalate issues to an external third party for resolution

Answer : refer the issues to senior management along with any security recommendations.

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

Options are :

  • develop an information security policy.
  • conduct a risk assessment. (Correct)
  • btain benchmarking information.
  • prepare a security budget.

Answer : conduct a risk assessment.

CISM Information Risk Management Certification Practice

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

Options are :

  • System users
  • Business management
  • Information security manager (Correct)
  • Operations manager

Answer : Information security manager

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

Options are :

  • it violates industry security practices.
  • short-term impact cannot be determined.
  • changes in the roles matrix cannot be detected.
  • it implies compliance risks. (Correct)

Answer : it implies compliance risks.

In implementing information security governance, the information security manager is PRIMARILY responsible for:

Options are :

  • developing the security strategy. (Correct)
  • approving the security strategy
  • communicating the security strategy.
  • reviewing the security strategy

Answer : developing the security strategy.

CISM Information Risk Management Certification

What will have the HIGHEST impact on standard information security governance models?

Options are :

  • Distance between physical locations
  • Number of employees
  • Complexity of organizational structure (Correct)
  • Organizational budget

Answer : Complexity of organizational structure

A security manager meeting the requirements for the international flow of personal data will need to ensure:

Options are :

  • a data protection registration.
  • a data processing agreement
  • the agreement of the data subjects. (Correct)
  • subject access procedures.

Answer : the agreement of the data subjects.

Which of the following is the MOST important prerequisite for establishing information security management within an organization?

Options are :

  • Senior management commitment (Correct)
  • Information security framework
  • Information security policy
  • Information security organizational structure

Answer : Senior management commitment

CISM Information Security Program Management Test

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

Options are :

  • review the functionalities and implementation requirements of the solution.
  • provide examples of situations where such a tool would be useful.
  • review comparison reports of tool implementation in peer companies.
  • substantiate the investment in meeting organizational needs. (Correct)

Answer : substantiate the investment in meeting organizational needs.

The FIRST step in developing an information security management program is to:

Options are :

  • clarify organizational purpose for creating the program. (Correct)
  • identify business risks that affect the organization.
  • assign responsibility for the program.
  • assess adequacy of controls to mitigate business risks.

Answer : clarify organizational purpose for creating the program.

To achieve effective strategic alignment of security initiatives, it is important that:

Options are :

  • Steering committee leadership be selected by rotation.
  • Inputs be obtained and consensus achieved between the major organizational units (Correct)
  • The business strategy be updated periodically.
  • Procedures and standards be approved by all departmental heads.

Answer : Inputs be obtained and consensus achieved between the major organizational units

CISM Information Risk Management Certification

Which of the following is MOST important in developing a security strategy?

Options are :

  • Having a reporting line to senior management
  • Creating a positive business security environment
  • Understanding key business objectives (Correct)
  • Allocating sufficient resources to information security

Answer : Understanding key business objectives

Who should drive the risk analysis for an organization?

Options are :

  • Quality manager
  • Security manager (Correct)
  • Legal department
  • Senior management

Answer : Security manager

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

Options are :

  • Business continuity investment
  • Alignment with industry best practices
  • Regulatory compliance (Correct)
  • Business benefits

Answer : Regulatory compliance

CISM Information Security Governance Certification

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:

Options are :

  • integration.
  • alignment. (Correct)
  • value delivery
  • performance measurement.

Answer : alignment.

What would be the MOST significant security risks when using wireless local area network (LAN) technology?

Options are :

  • Man-in-the-middle attack
  • Session hijacking
  • Rogue access point (Correct)
  • Spoofing of data packets

Answer : Rogue access point

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

Options are :

  • Proportionality (Correct)
  • Ethics
  • Integration
  • Accountability

Answer : Proportionality

CISM Information Security Governance Certified Practice

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

Options are :

  • Deciding the classification levels applied to the organization's information assets
  • Defining and ratifying the classification structure of information assets (Correct)
  • Securing information assets in accordance with their classification
  • Checking if information assets have been classified properly

Answer : Defining and ratifying the classification structure of information assets

The MOST useful way to describe the objectives in the information security strategy is through:

Options are :

  • attributes and characteristics of the 'desired state." (Correct)
  • calculation of annual loss expectations
  • mapping the IT systems to key business processes.
  • overall control objectives of the security program.

Answer : attributes and characteristics of the 'desired state."

In order to highlight to management the importance of network security, the security manager should FIRST:

Options are :

  • develop a security architecture.
  • conduct a risk assessment. (Correct)
  • install a network intrusion detection system (NIDS) and prepare a list of attacks
  • develop a network security policy.

Answer : conduct a risk assessment.

CISM Certified Information Security Manager Practice Exam

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

Options are :

  • developing effective metrics.
  • developing a business case (Correct)
  • promoting regulatory requirements.
  • establishing a periodic risk assessment

Answer : developing a business case

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions