CISM Information Security Governance Certification

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

Options are :

  • Approve access to critical financial systems
  • Update platform-level security settings
  • Develop an information security strategy paper (Correct)
  • Conduct disaster recovery test exercises

Answer : Develop an information security strategy paper

Which of the following is responsible for legal and regulatory liability?

Options are :

  • Board and senior management (Correct)
  • Information security steering group
  • Chief legal counsel (CLC)
  • Chief security officer (CSO)

Answer : Board and senior management

Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

Options are :

  • Evaluate the impact of information security risks (Correct)
  • Ensure that all IT risks are identified
  • Demonstrate that IT mitigating controls are in place
  • Suggest new IT controls to mitigate operational risk

Answer : Evaluate the impact of information security risks

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

Options are :

  • procedure.
  • policy (Correct)
  • baseline
  • strategy

Answer : policy

Which of the following would BEST prepare an information security manager for regulatory reviews?

Options are :

  • Assess previous regulatory reports with process owners input
  • Assign an information security administrator as regulatory liaison
  • Perform self-assessments using regulatory guidelines and reports (Correct)
  • Ensure all regulatory inquiries are sanctioned by the legal department

Answer : Perform self-assessments using regulatory guidelines and reports

Which of the following is the MOST important information to include in a strategic plan for information security?

Options are :

  • Information security staffing requirements
  • Current state and desired future state (Correct)
  • information security mission statement
  • IT capital investment requirements

Answer : Current state and desired future state

Which of the following is the MOST important factor when designing information security architecture?

Options are :

  • Stakeholder requirements (Correct)
  • Scalability of the network
  • Development methodologies
  • Technical platform interfaces

Answer : Stakeholder requirements

Information security policy enforcement is the responsibility of the:

Options are :

  • security steering committee
  • chief information security officer (CISO). (Correct)
  • chief information officer (CIO).
  • chief compliance officer (CCO).

Answer : chief information security officer (CISO).

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

Options are :

  • chief technology officer (CTO).
  • chief operations officer (COO). (Correct)
  • head of internal audit
  • legal counsel.

Answer : chief operations officer (COO).

The PRIMARY objective of a security steering group is to:

Options are :

  • implement all decisions on security management across the organization.
  • ensure information security covers all business functions
  • ensure information security aligns with business goals. (Correct)
  • raise information security awareness across the organization.

Answer : ensure information security aligns with business goals.

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?

Options are :

  • Knowledge of information technology platforms, networks and development methodologie
  • Ability to manage a diverse group of individuals and resources across an organization
  • Knowledge of the regulatory environment and project management techniques
  • Ability to understand and map organizational needs to security technologies (Correct)

Answer : Ability to understand and map organizational needs to security technologies

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

Options are :

  • assessing the frequency of incidents
  • calculating return on investment (ROD projections (Correct)
  • comparing spending against similar organizations.
  • quantifying the cost of control failures.

Answer : calculating return on investment (ROD projections

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

Options are :

  • Statement of generally accepted best practices
  • Associating realistic threats to corporate objectives (Correct)
  • Analysis of current technological exposures
  • Examples of genuine incidents at similar organizations

Answer : Associating realistic threats to corporate objectives

While implementing information security governance an organization should FIRST:

Options are :

  • adopt security standards.
  • determine security baselines.
  • define the security strategy. (Correct)
  • establish security policies.

Answer : define the security strategy.

When designing an information security quarterly report to management, the MOST important element to be considered should be the:

Options are :

  • information security metrics
  • knowledge required to analyze each issue.
  • linkage to business area objectives (Correct)
  • baseline against which metrics are evaluated

Answer : linkage to business area objectives

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

Options are :

  • establish a baseline standard incorporating those requirements that all jurisdictions have in common.
  • establish baseline standards for all locations and add supplemental standards as required. (Correct)
  • bring all locations into conformity with a generally accepted set of industry best practices.
  • bring all locations into conformity with the aggregate requirements of all governmental jurisdictions

Answer : establish baseline standards for all locations and add supplemental standards as required.

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

Options are :

  • data privacy directive applicable globally.
  • data privacy policy of the headquarters' country.
  • data privacy policy where data are collected. (Correct)
  • corporate data privacy policy.

Answer : data privacy policy where data are collected.

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

Options are :

  • legislative and regulatory requirements.
  • storage availability.
  • generally accepted industry best practices.
  • business requirements (Correct)

Answer : business requirements

A good privacy statement should include:

Options are :

  • notification that information will be encrypted.
  • what the company will do with information it collects. (Correct)
  • notification of liability on accuracy of information.
  • a description of the information classification process.

Answer : what the company will do with information it collects.

Which of the following are likely to be updated MOST frequently?

Options are :

  • Standards for password length and complexity
  • Standards for document retention and destruction
  • Policies addressing information security governance
  • Procedures for hardening database servers (Correct)

Answer : Procedures for hardening database servers

From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?

Options are :

  • Segregation of duties
  • Better accountability (Correct)
  • Improved procedure flows
  • Enhanced policy compliance

Answer : Better accountability

Which of the following would be MOST effective in successfully implementing restrictive password policies?

Options are :

  • Single sign-on system
  • Penalties for noncompliance
  • Security awareness program (Correct)
  • Regular password audits

Answer : Security awareness program

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

Options are :

  • three-to-five years for both hardware and software.
  • based on the current rate of technological change.
  • aligned with the IT strategic plan.
  • aligned with the business strategy. (Correct)

Answer : aligned with the business strategy.

The MOST basic requirement for an information security governance program is to:

Options are :

  • be aligned with the corporate business strategy. (Correct)
  • provide best practices for security- initiatives.
  • be based on a sound risk management approach.
  • provide adequate regulatory compliance.

Answer : be aligned with the corporate business strategy.

Reviewing which of the following would BEST ensure that security controls are effective?

Options are :

  • Return on security investment
  • Risk assessment policies
  • Security metrics (Correct)
  • User access rights

Answer : Security metrics

Information security projects should be prioritized on the basis of:

Options are :

  • total cost for implementation
  • impact on the organization (Correct)
  • mix of resources required.
  • time required for implementation.

Answer : impact on the organization

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

Options are :

  • ensure that security processes are consistent across the organization. (Correct)
  • ensure that security processes are fully documented.
  • implement monitoring of key performance indicators for security processes.
  • enforce baseline security levels across the organization.

Answer : ensure that security processes are consistent across the organization.

Which of the following is the MOST important information to include in an information security standard?

Options are :

  • Last review date (Correct)
  • Initial draft approval date
  • Author name
  • Creation date

Answer : Last review date

Which of the following MOST commonly falls within the scope of an information security governance steering committee?

Options are :

  • Developing content for security awareness programs
  • Approving access to critical financial systems
  • Prioritizing information security initiatives (Correct)
  • Interviewing candidates for information security specialist positions

Answer : Prioritizing information security initiatives

When personal information is transmitted across networks, there MUST be adequate controls over:

Options are :

  • privacy protection. (Correct)
  • encryption devices
  • consent to data transfer.
  • change management.

Answer : privacy protection.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

Options are :

  • analyze key risks in the compliance process.
  • assess whether existing controls meet the regulation. (Correct)
  • meet with stakeholders to decide how to comply.
  • update the existing security/privacy policy.

Answer : assess whether existing controls meet the regulation.

At what stage of the applications development process should the security department initially become involved?

Options are :

  • When requested
  • At detail requirements (Correct)
  • At programming
  • At testing

Answer : At detail requirements

Who should be responsible for enforcing access rights to application data?

Options are :

  • Security administrators (Correct)
  • The security steering committee
  • Data owners
  • Business process owners

Answer : Security administrators

Who in an organization has the responsibility for classifying information?

Options are :

  • Data owner (Correct)
  • Data custodian
  • Database administrato
  • Information security officer

Answer : Data owner

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

Options are :

  • Risk assessment reports (Correct)
  • Return on security investment report
  • Security metrics reports
  • Business impact analysis (BIA)

Answer : Risk assessment reports

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions