CISM Information Security Governance Practice Test Set 2

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?


Options are :

  • Composition of the board
  • Cultures of the different countries (Correct)
  • Representation by regional business leaders
  • IT security skills

Answer : Cultures of the different countries

Cism Information Security Program Development

Which of the following is an advantage of a centralized information security organizational structure?


Options are :

  • It provides a faster turnaround for security requests.
  • It is easier to promote security awareness.
  • It is more responsive to business unit needs.
  • It is easier to manage and control (Correct)

Answer : It is easier to manage and control

Who should drive the risk analysis for an organization?


Options are :

  • Security manager (Correct)
  • Quality manager
  • Legal department
  • Senior management

Answer : Security manager

The MOST important characteristic of good security policies is that they:


Options are :

  • state expectations of IT management
  • state only one general security mandate.
  • govern the creation of procedures and guidelines.
  • are aligned with organizational goals. (Correct)

Answer : are aligned with organizational goals.

CISM Information Security Program Management Practice Exam Set 2

In implementing information security governance, the information security manager is PRIMARILY responsible for:


Options are :

  • communicating the security strategy.
  • developing the security strategy. (Correct)
  • reviewing the security strategy
  • approving the security strategy

Answer : developing the security strategy.

The MOST complete business case for security solutions is one that.


Options are :

  • explains the current risk profile
  • includes appropriate justification (Correct)
  • details regulatory requirements.
  • identifies incidents and losses.

Answer : includes appropriate justification

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?


Options are :

  • Compliance with the organization's information security requirements (Correct)
  • Use of a two-factor authentication system
  • Compliance with international security standards.
  • Existence of an alternate hot site in case of business disruption.

Answer : Compliance with the organization's information security requirements

CISM Information Risk Management Certification

Which of the following should be included in an annual information security budget that is submitted for management approval?


Options are :

  • All of the resources that are recommended by the business
  • Total cost of ownership (TC'O)
  • Baseline comparisons
  • A cost-benefit analysis of budgeted resources (Correct)

Answer : A cost-benefit analysis of budgeted resources

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?


Options are :

  • Give organization standards preference over local regulations
  • Negotiate a local version of the organization standards (Correct)
  • Follow local regulations only
  • Make the organization aware of those standards where local regulations causes conflicts

Answer : Negotiate a local version of the organization standards

Which of the following is the MOST important to keep in mind when assessing the value of information?


Options are :

  • Regulatory requirement
  • The cost of recreating the information
  • The cost of insurance coverage
  • The potential financial loss (Correct)

Answer : The potential financial loss

CISM Information Risk Management Certification

Logging is an example of which type of defense against systems compromise?


Options are :

  • Containment
  • Detection (Correct)
  • Reaction
  • Recovery

Answer : Detection

CISM Information Risk Management Certification Practice

A good privacy statement should include:


Options are :

  • notification that information will be encrypted.
  • what the company will do with information it collects. (Correct)
  • a description of the information classification process.
  • notification of liability on accuracy of information.

Answer : what the company will do with information it collects.

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:


Options are :

  • implement monitoring of key performance indicators for security processes.
  • ensure that security processes are consistent across the organization. (Correct)
  • ensure that security processes are fully documented.
  • enforce baseline security levels across the organization.

Answer : ensure that security processes are consistent across the organization.

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?


Options are :

  • Alignment with industry best practices
  • Business continuity investment
  • Regulatory compliance (Correct)
  • Business benefits

Answer : Regulatory compliance

CISM Information Risk Management Certification

The MOST basic requirement for an information security governance program is to:


Options are :

  • be based on a sound risk management approach.
  • be aligned with the corporate business strategy. (Correct)
  • provide adequate regulatory compliance.
  • provide best practices for security- initiatives.

Answer : be aligned with the corporate business strategy.

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:


Options are :

  • prepare a security budget.
  • develop an information security policy.
  • conduct a risk assessment. (Correct)
  • btain benchmarking information.

Answer : conduct a risk assessment.

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?


Options are :

  • Integration
  • Ethics
  • Accountability
  • Proportionality (Correct)

Answer : Proportionality

CISM Information Security Program Management Practice Exam Set 4

Who in an organization has the responsibility for classifying information?


Options are :

  • Information security officer
  • Data owner (Correct)
  • Database administrato
  • Data custodian

Answer : Data owner

At what stage of the applications development process should the security department initially become involved?


Options are :

  • At detail requirements (Correct)
  • At programming
  • At testing
  • When requested

Answer : At detail requirements

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:


Options are :

  • data privacy directive applicable globally.
  • corporate data privacy policy.
  • data privacy policy where data are collected. (Correct)
  • data privacy policy of the headquarters' country.

Answer : data privacy policy where data are collected.

CISM Incident Management and Response Practice

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:


Options are :

  • meet with stakeholders to decide how to comply.
  • analyze key risks in the compliance process.
  • assess whether existing controls meet the regulation. (Correct)
  • update the existing security/privacy policy.

Answer : assess whether existing controls meet the regulation.

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:


Options are :

  • calculating return on investment (ROD projections (Correct)
  • quantifying the cost of control failures.
  • assessing the frequency of incidents
  • comparing spending against similar organizations.

Answer : calculating return on investment (ROD projections

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:


Options are :

  • legal counsel.
  • chief technology officer (CTO).
  • head of internal audit
  • chief operations officer (COO). (Correct)

Answer : chief operations officer (COO).

CISM Information Security Program Management Practice Exam Set 2

Which of the following is responsible for legal and regulatory liability?


Options are :

  • Information security steering group
  • Chief legal counsel (CLC)
  • Board and senior management (Correct)
  • Chief security officer (CSO)

Answer : Board and senior management

When designing an information security quarterly report to management, the MOST important element to be considered should be the:


Options are :

  • information security metrics
  • baseline against which metrics are evaluated
  • linkage to business area objectives (Correct)
  • knowledge required to analyze each issue.

Answer : linkage to business area objectives

When personal information is transmitted across networks, there MUST be adequate controls over:


Options are :

  • consent to data transfer.
  • change management.
  • privacy protection. (Correct)
  • encryption devices

Answer : privacy protection.

CISM Information Security Program Management Practice

From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?


Options are :

  • Better accountability (Correct)
  • Segregation of duties
  • Enhanced policy compliance
  • Improved procedure flows

Answer : Better accountability

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:


Options are :

  • bring all locations into conformity with the aggregate requirements of all governmental jurisdictions
  • establish a baseline standard incorporating those requirements that all jurisdictions have in common.
  • bring all locations into conformity with a generally accepted set of industry best practices.
  • establish baseline standards for all locations and add supplemental standards as required. (Correct)

Answer : establish baseline standards for all locations and add supplemental standards as required.

Information security projects should be prioritized on the basis of:


Options are :

  • time required for implementation.
  • mix of resources required.
  • total cost for implementation
  • impact on the organization (Correct)

Answer : impact on the organization

Cism Information Security Program Development Practice Exam

A security manager meeting the requirements for the international flow of personal data will need to ensure:


Options are :

  • the agreement of the data subjects. (Correct)
  • a data protection registration.
  • subject access procedures.
  • a data processing agreement

Answer : the agreement of the data subjects.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions