CISM Information Security Governance Certification Test

Which of the following situations would MOST inhibit the effective implementation of security governance:

Options are :

  • High-level sponsorship (Correct)
  • Budgetary constraints
  • The complexity of technology
  • Conflicting business priorities

Answer : High-level sponsorship

Logging is an example of which type of defense against systems compromise?

Options are :

  • Detection (Correct)
  • Recovery
  • Containment
  • Reaction

Answer : Detection

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

Options are :

  • Compliance with international security standards.
  • Existence of an alternate hot site in case of business disruption.
  • Compliance with the organization's information security requirements (Correct)
  • Use of a two-factor authentication system

Answer : Compliance with the organization's information security requirements

The MOST important characteristic of good security policies is that they:

Options are :

  • are aligned with organizational goals. (Correct)
  • govern the creation of procedures and guidelines.
  • state expectations of IT management
  • state only one general security mandate.

Answer : are aligned with organizational goals.

When developing an information security program, what is the MOST useful source of information for determining available resources?

Options are :

  • Organization chart
  • Proficiency test
  • Skills inventory (Correct)
  • Job descriptions

Answer : Skills inventory

To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?

Options are :

  • Cost-benefit analysis (Correct)
  • Security breach frequency
  • Peer group comparison
  • Annualized loss expectancy (ALE)

Answer : Cost-benefit analysis

Who is ultimately responsible for the organization's information?

Options are :

  • Data custodian
  • Chief information officer (CIO)
  • Board of directors (Correct)
  • Chief information security officer (CISO)

Answer : Board of directors

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?

Options are :

  • Follow local regulations only
  • Negotiate a local version of the organization standards (Correct)
  • Make the organization aware of those standards where local regulations causes conflicts
  • Give organization standards preference over local regulations

Answer : Negotiate a local version of the organization standards

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

Options are :

  • Require the administrator to obtain security certification
  • Train the system administrator on risk assessment
  • Train the system administrator on penetration testing and vulnerability assessment
  • Include security responsibilities in the job description (Correct)

Answer : Include security responsibilities in the job description

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

Options are :

  • Budgetary requirements
  • Technical evaluation report
  • Business case (Correct)
  • Risk assessment report

Answer : Business case

An information security manager must understand the relationship between information security and business operations in order to:

Options are :

  • understand the threats to the business.
  • determine likely areas of noncompliance.
  • assess the possible impacts of compromise.
  • support organizational objectives. (Correct)

Answer : support organizational objectives.

Which of the following is the MOST important to keep in mind when assessing the value of information?

Options are :

  • The potential financial loss (Correct)
  • The cost of insurance coverage
  • Regulatory requirement
  • The cost of recreating the information

Answer : The potential financial loss

An outcome of effective security governance is:

Options are :

  • business dependency assessment
  • strategic alignment. (Correct)
  • risk assessment.
  • planning.

Answer : strategic alignment.

Which of the following is the MOST important element of an information security strategy?

Options are :

  • Adoption of a control framework
  • Complete policies
  • Time frames for delivery
  • Defined objectives (Correct)

Answer : Defined objectives

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

Options are :

  • refer the issues to senior management along with any security recommendations. (Correct)
  • ensure that senior management provides authority for security to address the issues.
  • insist that managers or units not in agreement with the security solution accept the risk.
  • escalate issues to an external third party for resolution

Answer : refer the issues to senior management along with any security recommendations.

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

Options are :

  • develop an information security policy.
  • conduct a risk assessment. (Correct)
  • btain benchmarking information.
  • prepare a security budget.

Answer : conduct a risk assessment.

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

Options are :

  • System users
  • Business management
  • Information security manager (Correct)
  • Operations manager

Answer : Information security manager

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

Options are :

  • it violates industry security practices.
  • short-term impact cannot be determined.
  • changes in the roles matrix cannot be detected.
  • it implies compliance risks. (Correct)

Answer : it implies compliance risks.

In implementing information security governance, the information security manager is PRIMARILY responsible for:

Options are :

  • developing the security strategy. (Correct)
  • approving the security strategy
  • communicating the security strategy.
  • reviewing the security strategy

Answer : developing the security strategy.

What will have the HIGHEST impact on standard information security governance models?

Options are :

  • Distance between physical locations
  • Number of employees
  • Complexity of organizational structure (Correct)
  • Organizational budget

Answer : Complexity of organizational structure

A security manager meeting the requirements for the international flow of personal data will need to ensure:

Options are :

  • a data protection registration.
  • a data processing agreement
  • the agreement of the data subjects. (Correct)
  • subject access procedures.

Answer : the agreement of the data subjects.

Which of the following is the MOST important prerequisite for establishing information security management within an organization?

Options are :

  • Senior management commitment (Correct)
  • Information security framework
  • Information security policy
  • Information security organizational structure

Answer : Senior management commitment

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

Options are :

  • review the functionalities and implementation requirements of the solution.
  • provide examples of situations where such a tool would be useful.
  • review comparison reports of tool implementation in peer companies.
  • substantiate the investment in meeting organizational needs. (Correct)

Answer : substantiate the investment in meeting organizational needs.

The FIRST step in developing an information security management program is to:

Options are :

  • clarify organizational purpose for creating the program. (Correct)
  • identify business risks that affect the organization.
  • assign responsibility for the program.
  • assess adequacy of controls to mitigate business risks.

Answer : clarify organizational purpose for creating the program.

To achieve effective strategic alignment of security initiatives, it is important that:

Options are :

  • Steering committee leadership be selected by rotation.
  • Inputs be obtained and consensus achieved between the major organizational units (Correct)
  • The business strategy be updated periodically.
  • Procedures and standards be approved by all departmental heads.

Answer : Inputs be obtained and consensus achieved between the major organizational units

Which of the following is MOST important in developing a security strategy?

Options are :

  • Having a reporting line to senior management
  • Creating a positive business security environment
  • Understanding key business objectives (Correct)
  • Allocating sufficient resources to information security

Answer : Understanding key business objectives

Who should drive the risk analysis for an organization?

Options are :

  • Quality manager
  • Security manager (Correct)
  • Legal department
  • Senior management

Answer : Security manager

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

Options are :

  • Business continuity investment
  • Alignment with industry best practices
  • Regulatory compliance (Correct)
  • Business benefits

Answer : Regulatory compliance

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:

Options are :

  • integration.
  • alignment. (Correct)
  • value delivery
  • performance measurement.

Answer : alignment.

What would be the MOST significant security risks when using wireless local area network (LAN) technology?

Options are :

  • Man-in-the-middle attack
  • Session hijacking
  • Rogue access point (Correct)
  • Spoofing of data packets

Answer : Rogue access point

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

Options are :

  • Proportionality (Correct)
  • Ethics
  • Integration
  • Accountability

Answer : Proportionality

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

Options are :

  • Deciding the classification levels applied to the organization's information assets
  • Defining and ratifying the classification structure of information assets (Correct)
  • Securing information assets in accordance with their classification
  • Checking if information assets have been classified properly

Answer : Defining and ratifying the classification structure of information assets

The MOST useful way to describe the objectives in the information security strategy is through:

Options are :

  • attributes and characteristics of the 'desired state." (Correct)
  • calculation of annual loss expectations
  • mapping the IT systems to key business processes.
  • overall control objectives of the security program.

Answer : attributes and characteristics of the 'desired state."

In order to highlight to management the importance of network security, the security manager should FIRST:

Options are :

  • develop a security architecture.
  • conduct a risk assessment. (Correct)
  • install a network intrusion detection system (NIDS) and prepare a list of attacks
  • develop a network security policy.

Answer : conduct a risk assessment.

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

Options are :

  • developing effective metrics.
  • developing a business case (Correct)
  • promoting regulatory requirements.
  • establishing a periodic risk assessment

Answer : developing a business case

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions