CISM Information Security Governance Certified

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

Options are :

  • meet with stakeholders to decide how to comply.
  • update the existing security/privacy policy.
  • analyze key risks in the compliance process.
  • assess whether existing controls meet the regulation. (Correct)

Answer : assess whether existing controls meet the regulation.

CISM Information Risk Management Certification Practice

When personal information is transmitted across networks, there MUST be adequate controls over:

Options are :

  • change management.
  • privacy protection. (Correct)
  • encryption devices
  • consent to data transfer.

Answer : privacy protection.

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

Options are :

  • procedure.
  • policy (Correct)
  • baseline
  • strategy

Answer : policy

To achieve effective strategic alignment of security initiatives, it is important that:

Options are :

  • Procedures and standards be approved by all departmental heads.
  • Steering committee leadership be selected by rotation.
  • The business strategy be updated periodically.
  • Inputs be obtained and consensus achieved between the major organizational units (Correct)

Answer : Inputs be obtained and consensus achieved between the major organizational units

Cism Information Security Program Development

A security manager meeting the requirements for the international flow of personal data will need to ensure:

Options are :

  • a data processing agreement
  • subject access procedures.
  • the agreement of the data subjects. (Correct)
  • a data protection registration.

Answer : the agreement of the data subjects.

The PRIMARY objective of a security steering group is to:

Options are :

  • implement all decisions on security management across the organization.
  • ensure information security covers all business functions
  • ensure information security aligns with business goals. (Correct)
  • raise information security awareness across the organization.

Answer : ensure information security aligns with business goals.

Logging is an example of which type of defense against systems compromise?

Options are :

  • Recovery
  • Containment
  • Reaction
  • Detection (Correct)

Answer : Detection

CISM Information Security Program Management Practice Exam

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

Options are :

  • ensure that security processes are consistent across the organization. (Correct)
  • enforce baseline security levels across the organization.
  • implement monitoring of key performance indicators for security processes.
  • ensure that security processes are fully documented.

Answer : ensure that security processes are consistent across the organization.

Which of the following is the MOST important to keep in mind when assessing the value of information?

Options are :

  • Regulatory requirement
  • The potential financial loss (Correct)
  • The cost of recreating the information
  • The cost of insurance coverage

Answer : The potential financial loss

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

Options are :

  • changes in the roles matrix cannot be detected.
  • it implies compliance risks. (Correct)
  • it violates industry security practices.
  • short-term impact cannot be determined.

Answer : it implies compliance risks.

CISM Incident Management and Response Practice Exam

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

Options are :

  • Securing information assets in accordance with their classification
  • Defining and ratifying the classification structure of information assets (Correct)
  • Deciding the classification levels applied to the organization's information assets
  • Checking if information assets have been classified properly

Answer : Defining and ratifying the classification structure of information assets

Which of the following is the MOST important prerequisite for establishing information security management within an organization?

Options are :

  • Information security policy
  • Information security organizational structure
  • Senior management commitment (Correct)
  • Information security framework

Answer : Senior management commitment

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

Options are :

  • Alignment with industry best practices
  • Business benefits
  • Regulatory compliance (Correct)
  • Business continuity investment

Answer : Regulatory compliance

CISM Information Risk Management Certification Practice

Who should drive the risk analysis for an organization?

Options are :

  • Security manager (Correct)
  • Senior management
  • Quality manager
  • Legal department

Answer : Security manager

Who in an organization has the responsibility for classifying information?

Options are :

  • Information security officer
  • Data custodian
  • Data owner (Correct)
  • Database administrato

Answer : Data owner

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?

Options are :

  • Make the organization aware of those standards where local regulations causes conflicts
  • Give organization standards preference over local regulations
  • Follow local regulations only
  • Negotiate a local version of the organization standards (Correct)

Answer : Negotiate a local version of the organization standards

CISM Information Security Program Management

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

Options are :

  • generally accepted industry best practices.
  • legislative and regulatory requirements.
  • business requirements (Correct)
  • storage availability.

Answer : business requirements

What will have the HIGHEST impact on standard information security governance models?

Options are :

  • Organizational budget
  • Distance between physical locations
  • Number of employees
  • Complexity of organizational structure (Correct)

Answer : Complexity of organizational structure

Which of the following situations would MOST inhibit the effective implementation of security governance:

Options are :

  • The complexity of technology
  • High-level sponsorship (Correct)
  • Conflicting business priorities
  • Budgetary constraints

Answer : High-level sponsorship

CISM Information Security Program Management

Who is ultimately responsible for the organization's information?

Options are :

  • Board of directors (Correct)
  • Chief information officer (CIO)
  • Data custodian
  • Chief information security officer (CISO)

Answer : Board of directors

To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?

Options are :

  • Peer group comparison
  • Annualized loss expectancy (ALE)
  • Cost-benefit analysis (Correct)
  • Security breach frequency

Answer : Cost-benefit analysis

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

Options are :

  • corporate data privacy policy.
  • data privacy policy of the headquarters' country.
  • data privacy policy where data are collected. (Correct)
  • data privacy directive applicable globally.

Answer : data privacy policy where data are collected.

CISM Information Risk Management Certification

An outcome of effective security governance is:

Options are :

  • business dependency assessment
  • planning.
  • risk assessment.
  • strategic alignment. (Correct)

Answer : strategic alignment.

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

Options are :

  • Business case (Correct)
  • Risk assessment report
  • Technical evaluation report
  • Budgetary requirements

Answer : Business case

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

Options are :

  • Operations manager
  • System users
  • Information security manager (Correct)
  • Business management

Answer : Information security manager

CISM Information Risk Management Certification

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?

Options are :

  • A security program that enables business activities (Correct)
  • Key control monitoring
  • An effective security architecture
  • A robust security awareness program

Answer : A security program that enables business activities

An information security manager must understand the relationship between information security and business operations in order to:

Options are :

  • understand the threats to the business.
  • determine likely areas of noncompliance.
  • support organizational objectives. (Correct)
  • assess the possible impacts of compromise.

Answer : support organizational objectives.

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

Options are :

  • promoting regulatory requirements.
  • developing effective metrics.
  • establishing a periodic risk assessment
  • developing a business case (Correct)

Answer : developing a business case

CISM Information Risk Management Certification Practice

In order to highlight to management the importance of network security, the security manager should FIRST:

Options are :

  • develop a network security policy.
  • develop a security architecture.
  • conduct a risk assessment. (Correct)
  • install a network intrusion detection system (NIDS) and prepare a list of attacks

Answer : conduct a risk assessment.

The MOST complete business case for security solutions is one that.

Options are :

  • includes appropriate justification (Correct)
  • identifies incidents and losses.
  • explains the current risk profile
  • details regulatory requirements.

Answer : includes appropriate justification

Which of the following is an advantage of a centralized information security organizational structure?

Options are :

  • It is more responsive to business unit needs.
  • It is easier to manage and control (Correct)
  • It provides a faster turnaround for security requests.
  • It is easier to promote security awareness.

Answer : It is easier to manage and control

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:

Options are :

  • alignment. (Correct)
  • integration.
  • value delivery
  • performance measurement.

Answer : alignment.

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

Options are :

  • Compliance with international security standards.
  • Use of a two-factor authentication system
  • Existence of an alternate hot site in case of business disruption.
  • Compliance with the organization's information security requirements (Correct)

Answer : Compliance with the organization's information security requirement