CISM Information Security Governance Certified Test

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

Options are :

  • Require the administrator to obtain security certification
  • Include security responsibilities in the job description (Correct)
  • Train the system administrator on penetration testing and vulnerability assessment
  • Train the system administrator on risk assessment

Answer : Include security responsibilities in the job description

CISM Information Risk Management Certification

In implementing information security governance, the information security manager is PRIMARILY responsible for:

Options are :

  • communicating the security strategy.
  • approving the security strategy
  • reviewing the security strategy
  • developing the security strategy. (Correct)

Answer : developing the security strategy.

An organization's information security strategy should be based on:

Options are :

  • . avoiding occurrence of risks so that insurance is not required.
  • transferring most risks to insurers and saving on control costs.
  • managing risk relative to business objectives. (Correct)
  • managing risk to a zero level and minimizing insurance premiums.

Answer : managing risk relative to business objectives.

The MOST important characteristic of good security policies is that they:

Options are :

  • state expectations of IT management
  • are aligned with organizational goals. (Correct)
  • govern the creation of procedures and guidelines.
  • state only one general security mandate.

Answer : are aligned with organizational goals.

CISM Information Security Program Management

When developing an information security program, what is the MOST useful source of information for determining available resources?

Options are :

  • Skills inventory (Correct)
  • Organization chart
  • Job descriptions
  • Proficiency test

Answer : Skills inventory

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

Options are :

  • implementing appropriate controls to reduce risk
  • conflicting security controls with organizational needs. (Correct)
  • proving information security's protective abilities.
  • strong protection of information resources.

Answer : conflicting security controls with organizational needs.

What would be the MOST significant security risks when using wireless local area network (LAN) technology?

Options are :

  • Spoofing of data packets
  • Man-in-the-middle attack
  • Rogue access point (Correct)
  • Session hijacking

Answer : Rogue access point

CISM Information Risk Management Certification

The MOST useful way to describe the objectives in the information security strategy is through:

Options are :

  • overall control objectives of the security program.
  • calculation of annual loss expectations
  • mapping the IT systems to key business processes.
  • attributes and characteristics of the 'desired state." (Correct)

Answer : attributes and characteristics of the 'desired state."

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

Options are :

  • insist that managers or units not in agreement with the security solution accept the risk.
  • refer the issues to senior management along with any security recommendations. (Correct)
  • escalate issues to an external third party for resolution
  • ensure that senior management provides authority for security to address the issues.

Answer : refer the issues to senior management along with any security recommendations.

On a company's e-commerce web site, a good legal statement regarding data privacy should include:

Options are :

  • technical information regarding how information is protected.
  • a disclaimer regarding the accuracy of information on its web site.
  • a statement regarding what the company will do with the information it collects. (Correct)
  • a statement regarding where the information is being hosted

Answer : a statement regarding what the company will do with the information it collects.

CISM Information Security Program Management Test

Which of the following is MOST important to understand when developing a meaningful information security strategy?

Options are :

  • Regulatory environment
  • International security standards
  • Organizational risks
  • Organizational goals (Correct)

Answer : Organizational goals

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

Options are :

  • review the functionalities and implementation requirements of the solution.
  • substantiate the investment in meeting organizational needs. (Correct)
  • review comparison reports of tool implementation in peer companies.
  • provide examples of situations where such a tool would be useful.

Answer : substantiate the investment in meeting organizational needs.

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:

Options are :

  • return on investment (ROD
  • a vulnerability assessment.
  • a business case. (Correct)
  • annual loss expectancy (ALE).

Answer : a business case.

CISM Information Security Program Management Practice

Which of the following would help to change an organization's security culture?

Options are :

  • Develop procedures to enforce the information security policy
  • Obtain strong management support (Correct)
  • Periodically audit compliance with the information security policy
  • Implement strict technical security controls

Answer : Obtain strong management support

Which of the following is the BEST justification to convince management to invest in an information security program?

Options are :

  • Increased business value (Correct)
  • Cost reduction
  • Compliance with company policies
  • Protection of business assets

Answer : Increased business value

The FIRST step in establishing a security governance program is to:

Options are :

  • prepare a security budget.
  • obtain high-level sponsorship. (Correct)
  • conduct a risk assessment.
  • conduct a workshop for all end users.

Answer : obtain high-level sponsorship.

CISM Information Risk Management Certification

The MOST important factor in ensuring the success of an information security program is effective:

Options are :

  • formulation of policies and procedures for information security.
  • alignment with organizational goals and objectives . (Correct)
  • monitoring compliance with information security policies and procedures.
  • communication of information security requirements to all users in the organization.

Answer : alignment with organizational goals and objectives .

Which of the following should be included in an annual information security budget that is submitted for management approval?

Options are :

  • A cost-benefit analysis of budgeted resources (Correct)
  • Baseline comparisons
  • All of the resources that are recommended by the business
  • Total cost of ownership (TC'O)

Answer : A cost-benefit analysis of budgeted resources

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

Options are :

  • Continuous monitoring of the return on security investment (ROSD
  • Continuous analysis, monitoring and feedback (Correct)
  • Continuous risk reduction
  • Key risk indicator (KRD setup to security management processes

Answer : Continuous analysis, monitoring and feedback

CISM Information Risk Management Certification

Which of the following is the MOST important element of an information security strategy?

Options are :

  • Adoption of a control framework
  • Time frames for delivery
  • Complete policies
  • Defined objectives (Correct)

Answer : Defined objectives

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

Options are :

  • Representation by regional business leaders
  • Cultures of the different countries (Correct)
  • Composition of the board
  • IT security skills

Answer : Cultures of the different countries

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

Options are :

  • The custodian
  • The end user
  • Senior management (Correct)
  • The security officer

Answer : Senior management

CISM Information Risk Management Certification

What is the MOST important factor in the successful implementation of an enterprise wide information security program?

Options are :

  • Recalculation of the work factor
  • Security awareness
  • Realistic budget estimates
  • Support of senior management (Correct)

Answer : Support of senior management

Which of the following should be determined while defining risk management strategies?

Options are :

  • IT architecture complexity
  • Risk assessment criteria
  • Organizational objectives and risk appetite (Correct)
  • Enterprise disaster recovery plans

Answer : Organizational objectives and risk appetite

Which of the following is the BEST reason to perform a business impact analysis (BIA)?

Options are :

  • To analyze the effect on the business
  • To budget appropriately for needed controls
  • To help determine the current state of risk (Correct)
  • To satisfy regulatory requirements

Answer : To help determine the current state of risk

CISM Information Risk Management Certification Practice

Effective IT governance is BEST ensured by:

Options are :

  • utilizing a top-down approach. (Correct)
  • referring the matter to the organization's legal department
  • utilizing a bottom-up approach.
  • management by the IT department

Answer : utilizing a top-down approach.

Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

Options are :

  • Implement logical access controls to the information systems.
  • Improve the content of the information security awareness program.
  • Improve the employees' knowledge of security policies.
  • Obtain the support of the board of directors. (Correct)

Answer : Obtain the support of the board of directors.

Information security should be:

Options are :

  • focused on eliminating all risks.
  • defined by the board of directors.
  • driven by regulatory requirements.
  • a balance between technical and business requirements. (Correct)

Answer : a balance between technical and business requirements.

CISM Information Security Governance Certification Exam

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

Options are :

  • the plan aligns with the organization's business plan. (Correct)
  • regulatory oversight requirements are met.
  • departmental budgets are allocated appropriately to pay for the plan.
  • the impact of the plan on the business units is reduced

Answer : the plan aligns with the organization's business plan.

When an organization is implementing an information security governance program, its board of directors should be responsible for:

Options are :

  • drafting information security policies.
  • auditing for compliance.
  • reviewing training and awareness programs.
  • setting the strategic direction of the program. (Correct)

Answer : setting the strategic direction of the program.

The FIRST step to create an internal culture that focuses on information security is to:

Options are :

  • conduct periodic awareness training.
  • gain the endorsement of executive management. (Correct)
  • actively monitor operations.
  • implement stronger controls.

Answer : gain the endorsement of executive management.

CISM Information Security Program Management

When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?

Options are :

  • Adhering to corporate privacy standards
  • . Establishing international security standards for data sharing
  • Preserving the confidentiality of sensitive data (Correct)
  • Establishing system manager responsibility for information security

Answer : Preserving the confidentiality of sensitive data

What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?

Options are :

  • User training programs may be inadequate
  • Information security plans are not aligned with business requirements (Correct)
  • Budgets allocated to business units are not appropriate.
  • Functional requirements are not adequately considered.

Answer : Information security plans are not aligned with business requirements

The data access requirements for an application should be determined by the:

Options are :

  • legal department.
  • business owner. (Correct)
  • information security manager
  • compliance officer.

Answer : business owner.

CISM Information Security Governance Certification Test

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?

Options are :

  • A security breach notification might get delayed due to the time difference
  • Additional network intrusion detection sensors should be installed, resulting in an additional cost.
  • The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
  • Laws and regulations of the country of origin may not be enforceable in the foreign country. (Correct)

Answer : Laws and regulations of the country of origin may not be enforceable in the foreign country.

From an information security perspective, information that no longer supports the main purpose of the business should be:

Options are :

  • protected under the information classification policy.
  • analyzed under the retention policy. (Correct)
  • analyzed under the backup policy.
  • protected under the business impact analysis (BIA).

Answer : analyzed under the retention policy.

Which of the following is a benefit of information security governance?

Options are :

  • Reduction of the potential for civil or legal liability
  • Direct involvement of senior management in developing control processes
  • Questioning trust in vendor relationships (Correct)
  • Increasing the risk of decisions based on incomplete management information

Answer : Questioning trust in vendor relationships

CISM Information Risk Management Certification

Investment in security technology and processes should be based on:

Options are :

  • best business practices.
  • success cases that have been experienced in previous projects.
  • safeguards that are inherent in existing technology.
  • clear alignment with the goals and objectives of the organization. (Correct)

Answer : clear alignment with the goals and objectives of the organization.

An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

Options are :

  • Direct information security on what they need to do
  • Require management to report on compliance (Correct)
  • Nothing; information security does not report to the board
  • Research solutions to determine the proper solutions

Answer : Require management to report on compliance

A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager?

Options are :

  • A new risk assessment and BIA are needed to resolve the disagreement
  • Acceptance of the information security manager's decision on the risk to the corporation
  • Acceptance of the business manager's decision on the risk to the corporation
  • Review of the assessment with executive management for final input (Correct)

Answer : Review of the assessment with executive management for final input

CISM Information Risk Management Certification

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions