CISM Information Security Governance Certified

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

Options are :

  • meet with stakeholders to decide how to comply.
  • update the existing security/privacy policy.
  • analyze key risks in the compliance process.
  • assess whether existing controls meet the regulation. (Correct)

Answer : assess whether existing controls meet the regulation.

When personal information is transmitted across networks, there MUST be adequate controls over:

Options are :

  • change management.
  • privacy protection. (Correct)
  • encryption devices
  • consent to data transfer.

Answer : privacy protection.

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

Options are :

  • procedure.
  • policy (Correct)
  • baseline
  • strategy

Answer : policy

To achieve effective strategic alignment of security initiatives, it is important that:

Options are :

  • Procedures and standards be approved by all departmental heads.
  • Steering committee leadership be selected by rotation.
  • The business strategy be updated periodically.
  • Inputs be obtained and consensus achieved between the major organizational units (Correct)

Answer : Inputs be obtained and consensus achieved between the major organizational units

A security manager meeting the requirements for the international flow of personal data will need to ensure:

Options are :

  • a data processing agreement
  • subject access procedures.
  • the agreement of the data subjects. (Correct)
  • a data protection registration.

Answer : the agreement of the data subjects.

The PRIMARY objective of a security steering group is to:

Options are :

  • implement all decisions on security management across the organization.
  • ensure information security covers all business functions
  • ensure information security aligns with business goals. (Correct)
  • raise information security awareness across the organization.

Answer : ensure information security aligns with business goals.

Logging is an example of which type of defense against systems compromise?

Options are :

  • Recovery
  • Containment
  • Reaction
  • Detection (Correct)

Answer : Detection

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

Options are :

  • ensure that security processes are consistent across the organization. (Correct)
  • enforce baseline security levels across the organization.
  • implement monitoring of key performance indicators for security processes.
  • ensure that security processes are fully documented.

Answer : ensure that security processes are consistent across the organization.

Which of the following is the MOST important to keep in mind when assessing the value of information?

Options are :

  • Regulatory requirement
  • The potential financial loss (Correct)
  • The cost of recreating the information
  • The cost of insurance coverage

Answer : The potential financial loss

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

Options are :

  • changes in the roles matrix cannot be detected.
  • it implies compliance risks. (Correct)
  • it violates industry security practices.
  • short-term impact cannot be determined.

Answer : it implies compliance risks.

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

Options are :

  • Securing information assets in accordance with their classification
  • Defining and ratifying the classification structure of information assets (Correct)
  • Deciding the classification levels applied to the organization's information assets
  • Checking if information assets have been classified properly

Answer : Defining and ratifying the classification structure of information assets

Which of the following is the MOST important prerequisite for establishing information security management within an organization?

Options are :

  • Information security policy
  • Information security organizational structure
  • Senior management commitment (Correct)
  • Information security framework

Answer : Senior management commitment

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

Options are :

  • Alignment with industry best practices
  • Business benefits
  • Regulatory compliance (Correct)
  • Business continuity investment

Answer : Regulatory compliance

Who should drive the risk analysis for an organization?

Options are :

  • Security manager (Correct)
  • Senior management
  • Quality manager
  • Legal department

Answer : Security manager

Who in an organization has the responsibility for classifying information?

Options are :

  • Information security officer
  • Data custodian
  • Data owner (Correct)
  • Database administrato

Answer : Data owner

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?

Options are :

  • Make the organization aware of those standards where local regulations causes conflicts
  • Give organization standards preference over local regulations
  • Follow local regulations only
  • Negotiate a local version of the organization standards (Correct)

Answer : Negotiate a local version of the organization standards

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

Options are :

  • generally accepted industry best practices.
  • legislative and regulatory requirements.
  • business requirements (Correct)
  • storage availability.

Answer : business requirements

What will have the HIGHEST impact on standard information security governance models?

Options are :

  • Organizational budget
  • Distance between physical locations
  • Number of employees
  • Complexity of organizational structure (Correct)

Answer : Complexity of organizational structure

Which of the following situations would MOST inhibit the effective implementation of security governance:

Options are :

  • The complexity of technology
  • High-level sponsorship (Correct)
  • Conflicting business priorities
  • Budgetary constraints

Answer : High-level sponsorship

Who is ultimately responsible for the organization's information?

Options are :

  • Board of directors (Correct)
  • Chief information officer (CIO)
  • Data custodian
  • Chief information security officer (CISO)

Answer : Board of directors

To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?

Options are :

  • Peer group comparison
  • Annualized loss expectancy (ALE)
  • Cost-benefit analysis (Correct)
  • Security breach frequency

Answer : Cost-benefit analysis

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

Options are :

  • corporate data privacy policy.
  • data privacy policy of the headquarters' country.
  • data privacy policy where data are collected. (Correct)
  • data privacy directive applicable globally.

Answer : data privacy policy where data are collected.

An outcome of effective security governance is:

Options are :

  • business dependency assessment
  • planning.
  • risk assessment.
  • strategic alignment. (Correct)

Answer : strategic alignment.

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

Options are :

  • Business case (Correct)
  • Risk assessment report
  • Technical evaluation report
  • Budgetary requirements

Answer : Business case

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

Options are :

  • Operations manager
  • System users
  • Information security manager (Correct)
  • Business management

Answer : Information security manager

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?

Options are :

  • A security program that enables business activities (Correct)
  • Key control monitoring
  • An effective security architecture
  • A robust security awareness program

Answer : A security program that enables business activities

An information security manager must understand the relationship between information security and business operations in order to:

Options are :

  • understand the threats to the business.
  • determine likely areas of noncompliance.
  • support organizational objectives. (Correct)
  • assess the possible impacts of compromise.

Answer : support organizational objectives.

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

Options are :

  • promoting regulatory requirements.
  • developing effective metrics.
  • establishing a periodic risk assessment
  • developing a business case (Correct)

Answer : developing a business case

In order to highlight to management the importance of network security, the security manager should FIRST:

Options are :

  • develop a network security policy.
  • develop a security architecture.
  • conduct a risk assessment. (Correct)
  • install a network intrusion detection system (NIDS) and prepare a list of attacks

Answer : conduct a risk assessment.

The MOST complete business case for security solutions is one that.

Options are :

  • includes appropriate justification (Correct)
  • identifies incidents and losses.
  • explains the current risk profile
  • details regulatory requirements.

Answer : includes appropriate justification

Which of the following is an advantage of a centralized information security organizational structure?

Options are :

  • It is more responsive to business unit needs.
  • It is easier to manage and control (Correct)
  • It provides a faster turnaround for security requests.
  • It is easier to promote security awareness.

Answer : It is easier to manage and control

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:

Options are :

  • alignment. (Correct)
  • integration.
  • value delivery
  • performance measurement.

Answer : alignment.

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

Options are :

  • Compliance with international security standards.
  • Use of a two-factor authentication system
  • Existence of an alternate hot site in case of business disruption.
  • Compliance with the organization's information security requirements (Correct)

Answer : Compliance with the organization's information security requirement