CISM Information Security Governance Certification Exam

The MOST complete business case for security solutions is one that.

Options are :

  • details regulatory requirements.
  • explains the current risk profile
  • identifies incidents and losses.
  • includes appropriate justification (Correct)

Answer : includes appropriate justification

An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

Options are :

  • Require management to report on compliance (Correct)
  • Direct information security on what they need to do
  • Nothing; information security does not report to the board
  • Research solutions to determine the proper solutions

Answer : Require management to report on compliance

Investment in security technology and processes should be based on:

Options are :

  • clear alignment with the goals and objectives of the organization. (Correct)
  • safeguards that are inherent in existing technology.
  • success cases that have been experienced in previous projects.
  • best business practices.

Answer : clear alignment with the goals and objectives of the organization.

Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

Options are :

  • Implement logical access controls to the information systems.
  • Obtain the support of the board of directors. (Correct)
  • Improve the employees' knowledge of security policies.
  • Improve the content of the information security awareness program.

Answer : Obtain the support of the board of directors.

Which of the following is MOST important to understand when developing a meaningful information security strategy?

Options are :

  • Regulatory environment
  • Organizational goals (Correct)
  • Organizational risks
  • International security standards

Answer : Organizational goals

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

Options are :

  • Composition of the board
  • IT security skills
  • Cultures of the different countries (Correct)
  • Representation by regional business leaders

Answer : Cultures of the different countries

Which of the following is a benefit of information security governance?

Options are :

  • Increasing the risk of decisions based on incomplete management information
  • Questioning trust in vendor relationships (Correct)
  • Direct involvement of senior management in developing control processes
  • Reduction of the potential for civil or legal liability

Answer : Questioning trust in vendor relationships

Which of the following should be determined while defining risk management strategies?

Options are :

  • IT architecture complexity
  • Risk assessment criteria
  • Enterprise disaster recovery plans
  • Organizational objectives and risk appetite (Correct)

Answer : Organizational objectives and risk appetite

Which of the following would help to change an organization's security culture?

Options are :

  • Develop procedures to enforce the information security policy
  • Periodically audit compliance with the information security policy
  • Implement strict technical security controls
  • Obtain strong management support (Correct)

Answer : Obtain strong management support

What is the MOST important factor in the successful implementation of an enterprise wide information security program?

Options are :

  • Security awareness
  • Support of senior management (Correct)
  • Recalculation of the work factor
  • Realistic budget estimates

Answer : Support of senior management

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

Options are :

  • the impact of the plan on the business units is reduced
  • the plan aligns with the organization's business plan. (Correct)
  • departmental budgets are allocated appropriately to pay for the plan.
  • regulatory oversight requirements are met.

Answer : the plan aligns with the organization's business plan.

When an organization is implementing an information security governance program, its board of directors should be responsible for:

Options are :

  • setting the strategic direction of the program. (Correct)
  • reviewing training and awareness programs.
  • auditing for compliance.
  • drafting information security policies.

Answer : setting the strategic direction of the program.

The data access requirements for an application should be determined by the:

Options are :

  • business owner. (Correct)
  • compliance officer.
  • information security manager
  • legal department.

Answer : business owner.

A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager?

Options are :

  • Acceptance of the information security manager's decision on the risk to the corporation
  • A new risk assessment and BIA are needed to resolve the disagreement
  • Acceptance of the business manager's decision on the risk to the corporation
  • Review of the assessment with executive management for final input (Correct)

Answer : Review of the assessment with executive management for final input

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

Options are :

  • proving information security's protective abilities.
  • conflicting security controls with organizational needs. (Correct)
  • strong protection of information resources.
  • implementing appropriate controls to reduce risk

Answer : conflicting security controls with organizational needs.

Which of the following is the BEST reason to perform a business impact analysis (BIA)?

Options are :

  • To satisfy regulatory requirements
  • To analyze the effect on the business
  • To help determine the current state of risk (Correct)
  • To budget appropriately for needed controls

Answer : To help determine the current state of risk

Information security should be:

Options are :

  • focused on eliminating all risks.
  • defined by the board of directors.
  • a balance between technical and business requirements. (Correct)
  • driven by regulatory requirements.

Answer : a balance between technical and business requirements.

Which of the following is an advantage of a centralized information security organizational structure?

Options are :

  • It is easier to manage and control (Correct)
  • It is easier to promote security awareness.
  • It provides a faster turnaround for security requests.
  • It is more responsive to business unit needs.

Answer : It is easier to manage and control

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

Options are :

  • The custodian
  • Senior management (Correct)
  • The end user
  • The security officer

Answer : Senior management

From an information security perspective, information that no longer supports the main purpose of the business should be:

Options are :

  • analyzed under the retention policy. (Correct)
  • analyzed under the backup policy.
  • protected under the business impact analysis (BIA).
  • protected under the information classification policy.

Answer : analyzed under the retention policy.

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

Options are :

  • Continuous risk reduction
  • Continuous analysis, monitoring and feedback (Correct)
  • Key risk indicator (KRD setup to security management processes
  • Continuous monitoring of the return on security investment (ROSD

Answer : Continuous analysis, monitoring and feedback

Which of the following is the BEST justification to convince management to invest in an information security program?

Options are :

  • Increased business value (Correct)
  • Protection of business assets
  • Cost reduction
  • Compliance with company policies

Answer : Increased business value

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:

Options are :

  • annual loss expectancy (ALE).
  • return on investment (ROD
  • a business case. (Correct)
  • a vulnerability assessment.

Answer : a business case.

The MOST important factor in ensuring the success of an information security program is effective:

Options are :

  • formulation of policies and procedures for information security.
  • monitoring compliance with information security policies and procedures.
  • communication of information security requirements to all users in the organization.
  • alignment with organizational goals and objectives . (Correct)

Answer : alignment with organizational goals and objectives .

On a company's e-commerce web site, a good legal statement regarding data privacy should include:

Options are :

  • a disclaimer regarding the accuracy of information on its web site.
  • a statement regarding where the information is being hosted
  • technical information regarding how information is protected.
  • a statement regarding what the company will do with the information it collects. (Correct)

Answer : a statement regarding what the company will do with the information it collects.

The FIRST step to create an internal culture that focuses on information security is to:

Options are :

  • implement stronger controls.
  • conduct periodic awareness training.
  • actively monitor operations.
  • gain the endorsement of executive management. (Correct)

Answer : gain the endorsement of executive management.

Effective IT governance is BEST ensured by:

Options are :

  • management by the IT department
  • utilizing a bottom-up approach.
  • referring the matter to the organization's legal department
  • utilizing a top-down approach. (Correct)

Answer : utilizing a top-down approach.

Which of the following should be included in an annual information security budget that is submitted for management approval?

Options are :

  • A cost-benefit analysis of budgeted resources (Correct)
  • Total cost of ownership (TC'O)
  • All of the resources that are recommended by the business
  • Baseline comparisons

Answer : A cost-benefit analysis of budgeted resources

The FIRST step in establishing a security governance program is to:

Options are :

  • obtain high-level sponsorship. (Correct)
  • conduct a workshop for all end users.
  • conduct a risk assessment.
  • prepare a security budget.

Answer : obtain high-level sponsorship.

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?

Options are :

  • A security breach notification might get delayed due to the time difference
  • Additional network intrusion detection sensors should be installed, resulting in an additional cost.
  • Laws and regulations of the country of origin may not be enforceable in the foreign country. (Correct)
  • The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

Answer : Laws and regulations of the country of origin may not be enforceable in the foreign country.

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?

Options are :

  • A security program that enables business activities (Correct)
  • An effective security architecture
  • A robust security awareness program
  • Key control monitoring

Answer : A security program that enables business activities

What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?

Options are :

  • User training programs may be inadequate
  • Budgets allocated to business units are not appropriate.
  • Functional requirements are not adequately considered.
  • Information security plans are not aligned with business requirements (Correct)

Answer : Information security plans are not aligned with business requirements

An organization's information security strategy should be based on:

Options are :

  • . avoiding occurrence of risks so that insurance is not required.
  • managing risk relative to business objectives. (Correct)
  • transferring most risks to insurers and saving on control costs.
  • managing risk to a zero level and minimizing insurance premiums.

Answer : managing risk relative to business objectives.

When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider?

Options are :

  • Adhering to corporate privacy standards
  • Establishing system manager responsibility for information security
  • . Establishing international security standards for data sharing
  • Preserving the confidentiality of sensitive data (Correct)

Answer : Preserving the confidentiality of sensitive data

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions