CISM Information Security Governance Practice Test Set 1

What would be the MOST significant security risks when using wireless local area network (LAN) technology?


Options are :

  • Spoofing of data packets
  • Man-in-the-middle attack
  • Session hijacking
  • Rogue access point (Correct)

Answer : Rogue access point

CISM Information Security Program Management Practice Exam Set 2

Which of the following is MOST important to understand when developing a meaningful information security strategy?


Options are :

  • Organizational goals (Correct)
  • Regulatory environment
  • International security standards
  • Organizational risks

Answer : Organizational goals

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:


Options are :

  • refer the issues to senior management along with any security recommendations. (Correct)
  • ensure that senior management provides authority for security to address the issues.
  • escalate issues to an external third party for resolution
  • insist that managers or units not in agreement with the security solution accept the risk.

Answer : refer the issues to senior management along with any security recommendations.

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:


Options are :

  • a vulnerability assessment.
  • a business case. (Correct)
  • annual loss expectancy (ALE).
  • return on investment (ROD

Answer : a business case.

CISM Information Security Program Management Test

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?


Options are :

  • Continuous monitoring of the return on security investment (ROSD
  • Key risk indicator (KRD setup to security management processes
  • Continuous risk reduction
  • Continuous analysis, monitoring and feedback (Correct)

Answer : Continuous analysis, monitoring and feedback

The FIRST step in developing an information security management program is to:


Options are :

  • identify business risks that affect the organization.
  • assess adequacy of controls to mitigate business risks.
  • assign responsibility for the program.
  • clarify organizational purpose for creating the program. (Correct)

Answer : clarify organizational purpose for creating the program.

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?


Options are :

  • Train the system administrator on penetration testing and vulnerability assessment
  • Train the system administrator on risk assessment
  • Include security responsibilities in the job description (Correct)
  • Require the administrator to obtain security certification

Answer : Include security responsibilities in the job description

CISM Information Security Program Management Test

The FIRST step in establishing a security governance program is to:


Options are :

  • conduct a risk assessment.
  • conduct a workshop for all end users.
  • obtain high-level sponsorship. (Correct)
  • prepare a security budget.

Answer : obtain high-level sponsorship.

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:


Options are :

  • value delivery
  • alignment. (Correct)
  • performance measurement.
  • integration.

Answer : alignment.

Which of the following would help to change an organization's security culture?


Options are :

  • Obtain strong management support (Correct)
  • Periodically audit compliance with the information security policy
  • Implement strict technical security controls
  • Develop procedures to enforce the information security policy

Answer : Obtain strong management support

CISM Information Security Program Management Practice Exam Set 3

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:


Options are :

  • substantiate the investment in meeting organizational needs. (Correct)
  • review the functionalities and implementation requirements of the solution.
  • review comparison reports of tool implementation in peer companies.
  • provide examples of situations where such a tool would be useful.

Answer : substantiate the investment in meeting organizational needs.

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?


Options are :

  • Operations manager
  • Business management
  • System users
  • Information security manager (Correct)

Answer : Information security manager

In order to highlight to management the importance of network security, the security manager should FIRST:


Options are :

  • develop a security architecture.
  • install a network intrusion detection system (NIDS) and prepare a list of attacks
  • develop a network security policy.
  • conduct a risk assessment. (Correct)

Answer : conduct a risk assessment.

CISM Information Security Governance Certified Test

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:


Options are :

  • changes in the roles matrix cannot be detected.
  • it implies compliance risks. (Correct)
  • short-term impact cannot be determined.
  • it violates industry security practices.

Answer : it implies compliance risks.

To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?


Options are :

  • Peer group comparison
  • Annualized loss expectancy (ALE)
  • Cost-benefit analysis (Correct)
  • Security breach frequency

Answer : Cost-benefit analysis

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:


Options are :

  • implementing appropriate controls to reduce risk
  • proving information security's protective abilities.
  • strong protection of information resources.
  • conflicting security controls with organizational needs. (Correct)

Answer : conflicting security controls with organizational needs.

CISM Information Security Program Management Practice Exam Set 1

Which of the following is the MOST important element of an information security strategy?


Options are :

  • Time frames for delivery
  • Defined objectives (Correct)
  • Complete policies
  • Adoption of a control framework

Answer : Defined objectives

Which of the following situations would MOST inhibit the effective implementation of security governance:


Options are :

  • Conflicting business priorities
  • Budgetary constraints
  • The complexity of technology
  • High-level sponsorship (Correct)

Answer : High-level sponsorship

An organization's information security strategy should be based on:


Options are :

  • managing risk to a zero level and minimizing insurance premiums.
  • managing risk relative to business objectives. (Correct)
  • transferring most risks to insurers and saving on control costs.
  • . avoiding occurrence of risks so that insurance is not required.

Answer : managing risk relative to business objectives.

On a company's e-commerce web site, a good legal statement regarding data privacy should include:


Options are :

  • a disclaimer regarding the accuracy of information on its web site.
  • technical information regarding how information is protected.
  • a statement regarding where the information is being hosted
  • a statement regarding what the company will do with the information it collects. (Correct)

Answer : a statement regarding what the company will do with the information it collects.

To achieve effective strategic alignment of security initiatives, it is important that:


Options are :

  • Steering committee leadership be selected by rotation.
  • Procedures and standards be approved by all departmental heads.
  • The business strategy be updated periodically.
  • Inputs be obtained and consensus achieved between the major organizational units (Correct)

Answer : Inputs be obtained and consensus achieved between the major organizational units

When developing an information security program, what is the MOST useful source of information for determining available resources?


Options are :

  • Skills inventory (Correct)
  • Proficiency test
  • Organization chart
  • Job descriptions

Answer : Skills inventory

CISM Information Risk Management Certification Practice

Obtaining senior management support for establishing a warm site can BEST be accomplished by:


Options are :

  • developing effective metrics.
  • establishing a periodic risk assessment
  • promoting regulatory requirements.
  • developing a business case (Correct)

Answer : developing a business case

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?


Options are :

  • Key control monitoring
  • A robust security awareness program
  • A security program that enables business activities (Correct)
  • An effective security architecture

Answer : A security program that enables business activities

Which of the following is the BEST justification to convince management to invest in an information security program?


Options are :

  • Protection of business assets
  • Compliance with company policies
  • Cost reduction
  • Increased business value (Correct)

Answer : Increased business value

CISM Information Risk Management Certification

The MOST useful way to describe the objectives in the information security strategy is through:


Options are :

  • calculation of annual loss expectations
  • overall control objectives of the security program.
  • mapping the IT systems to key business processes.
  • attributes and characteristics of the 'desired state." (Correct)

Answer : attributes and characteristics of the 'desired state."

The MOST important factor in ensuring the success of an information security program is effective:


Options are :

  • communication of information security requirements to all users in the organization.
  • monitoring compliance with information security policies and procedures.
  • alignment with organizational goals and objectives . (Correct)
  • formulation of policies and procedures for information security.

Answer : alignment with organizational goals and objectives .

An outcome of effective security governance is:


Options are :

  • planning.
  • strategic alignment. (Correct)
  • risk assessment.
  • business dependency assessment

Answer : strategic alignment.

CISM Information Security Program Management Test

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?


Options are :

  • Business case (Correct)
  • Technical evaluation report
  • Risk assessment report
  • Budgetary requirements

Answer : Business case

An information security manager must understand the relationship between information security and business operations in order to:


Options are :

  • determine likely areas of noncompliance.
  • assess the possible impacts of compromise.
  • understand the threats to the business.
  • support organizational objectives. (Correct)

Answer : support organizational objectives.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions