CISM Information Security Governance Certification Practice

The MOST important component of a privacy policy is:

Options are :

  • geographic coverage.
  • notifications. (Correct)
  • liabilities.
  • warranties

Answer : notifications.

Which of the following requirements would have the lowest level of priority in information security?

Options are :

  • Technical (Correct)
  • Privacy
  • Regulatory
  • Business

Answer : Technical

Minimum standards for securing the technical infrastructure should be defined in a security:

Options are :

  • strategy
  • guidelines.
  • architecture. (Correct)
  • model

Answer : architecture.

Information security governance is PRIMARILY driven by:

Options are :

  • regulatory requirements.
  • technology constraints.
  • business strategy. (Correct)
  • litigation potential

Answer : business strategy.

Retention of business records should PRIMARILY be based on:

Options are :

  • business ease and value analysis.
  • regulatory and legal requirements. (Correct)
  • business strategy and direction.
  • storage capacity and longevity

Answer : regulatory and legal requirements.

The cost of implementing a security control should not exceed the:

Options are :

  • implementation opportunity costs.
  • annualized loss expectancy.
  • ost of an incident
  • asset value (Correct)

Answer : asset value

The PRIMARY goal in developing an information security strategy is to:

Options are :

  • ensure that legal and regulatory requirements are met
  • educate business process owners regarding their duties
  • support the business objectives of the organization. (Correct)
  • establish security metrics and performance monitoring.

Answer : support the business objectives of the organization.

Which of the following represents the MAJOR focus of privacy regulations

Options are :

  • Unrestricted data mining
  • Human rights protection D.
  • Identifiable personal data (Correct)
  • Identity theft

Answer : Identifiable personal data

Security technologies should be selected PRIMARILY on the basis of their:

Options are :

  • use of new and emerging technologies.
  • ability to mitigate business risks (Correct)
  • benefits in comparison to their costs.
  • evaluations in trade publications.

Answer : ability to mitigate business risks

Which of the following should be the FIRST step in developing an information security plan?

Options are :

  • Assess the current levels of security awareness
  • Analyze the current business strategy (Correct)
  • Perform a business impact analysis
  • Perform a technical vulnerabilities assessment

Answer : Analyze the current business strategy

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Options are :

  • Benchmark peer organizations
  • Develop a security architecture
  • Assemble an experienced staff
  • Establish good communication with steering committee members (Correct)

Answer : Establish good communication with steering committee members

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

Options are :

  • the responsibilities of organizational units.
  • security needs
  • organization wide metrics.
  • organizational risk (Correct)

Answer : organizational risk

Which of the following is MOST appropriate for inclusion in an information security strategy?

Options are :

  • Budget estimates to acquire specific security tools
  • Firewall rule sets, network defaults and intrusion detection system (IDS) settings
  • Business controls designated as key controls
  • Security processes, methods, tools and techniques (Correct)

Answer : Security processes, methods, tools and techniques

Senior management commitment and support for information security can BEST be enhanced through:

Options are :

  • regular security awareness training for employees.
  • periodic review of alignment with business management goals (Correct)
  • a formal security policy sponsored by the chief executive officer (CEO).
  • senior management signoff on the information security strategy

Answer : periodic review of alignment with business management goals

Which of the following would be the MOST important goal of an information security governance program?

Options are :

  • Total elimination of risk factors
  • Effective involvement in business decision making
  • Review of internal control mechanisms
  • Ensuring trust in data (Correct)

Answer : Ensuring trust in data

Senior management commitment and support for information security can BEST be obtained through presentations that:

Options are :

  • tie security risks to key business objectives. (Correct)
  • use illustrative examples of successful attacks.
  • explain the technical risks to the organization.
  • evaluate the organization against best security practices.

Answer : tie security risks to key business objectives.

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Options are :

  • Information security manager
  • Internal auditor
  • Chief operating officer (COO) (Correct)
  • Legal counsel

Answer : Chief operating officer (COO)

Relationships among security technologies are BEST defined through which of the following?

Options are :

  • Network topology
  • Security architecture (Correct)
  • Process improvement models
  • Security metrics

Answer : Security architecture

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Options are :

  • Enforce the existing security standard
  • Perform a risk analysis to quantify the risk (Correct)
  • Change the standard to permit the deployment
  • Perform research to propose use of a better technology

Answer : Perform a risk analysis to quantify the risk

When a security standard conflicts with a business objective, the situation should be resolved by:

Options are :

  • performing a risk analysis (Correct)
  • performing a risk analysis
  • changing the security standard.
  • changing the business objective

Answer : performing a risk analysis

Which of the following is MOST likely to be discretionary?

Options are :

  • Guidelines (Correct)
  • Standards
  • Procedures
  • Policies

Answer : Guidelines

Investments in information security technologies should be based on:

Options are :

  • audit recommendations.
  • value analysis (Correct)
  • business climate.
  • vulnerability assessments.

Answer : value analysis

Which of the following are seldom changed in response to technological changes?

Options are :

  • .Procedures
  • Guidelines
  • Standards
  • Policies (Correct)

Answer : Policies

Acceptable levels of information security risk should be determined by:

Options are :

  • legal counsel.
  • external auditors.
  • security management.
  • die steering committee. (Correct)

Answer : die steering committee.

It is MOST important that information security architecture be aligned with which of the following?

Options are :

  • Business objectives and goals (Correct)
  • Information technology plans
  • Information security best practices
  • Industry best practices

Answer : Business objectives and goals

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

Options are :

  • Better adherence to policies
  • More savings in total operating costs
  • More uniformity in quality of service
  • Better alignment to business unit needs (Correct)

Answer : Better alignment to business unit needs

Which of the following would BEST ensure the success of information security governance within an organization?

Options are :

  • Steering committees approve security projects (Correct)
  • Security policy training provided to all managers
  • Steering committees enforce compliance with laws and regulations
  • Security training available to all employees on the intranet

Answer : Steering committees approve security projects

The MOST appropriate role for senior management in supporting information security is the:

Options are :

  • evaluation of vendors offering security products.
  • monitoring adherence to regulatory requirements.
  • approval of policy statements and funding. (Correct)
  • assessment of risks to the organization.

Answer : approval of policy statements and funding.

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Options are :

  • Chief operating officer (COO) (Correct)
  • Chief privacy officer (CPO)
  • Chief legal counsel (CLC)
  • Chief security officer (CSO)

Answer : Chief operating officer (COO)

Which of the following roles would represent a conflict of interest for an information security manager?

Options are :

  • Evaluation of third parties requesting connectivity
  • Monitoring adherence to physical security controls
  • Assessment of the adequacy of disaster recovery plans
  • Final approval of information security policies (Correct)

Answer : Final approval of information security policies

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

Options are :

  • The data center manager has final signoff on all security projects. (Correct)
  • The information security oversight committee only meets quarterly.
  • The chief information officer (CIO) approves security policy changes.
  • The information security department has difficulty filling vacancies.

Answer : The data center manager has final signoff on all security projects.

Successful implementation of information security governance will FIRST require:

Options are :

  • a computer incident management team.
  • updated security policies (Correct)
  • security awareness training
  • a security architecture.

Answer : updated security policies

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

Options are :

  • business strategy and direction.
  • storage capacity and shelf life
  • application systems and media. (Correct)
  • regulatory and legal requirements.

Answer : application systems and media.

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

Options are :

  • Develop a compliance risk assessment
  • Create separate policies to address each regulation
  • Incorporate policy statements provided by regulators
  • Develop policies that meet all mandated requirements (Correct)

Answer : Develop policies that meet all mandated requirements

Which of the following is characteristic of centralized information security management?

Options are :

  • Faster turnaround of requests
  • Better adherence to policies (Correct)
  • More expensive to administer
  • More aligned with business unit needs

Answer : Better adherence to policies

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions