CISM Information Security Governance Certified Practice

Reviewing which of the following would BEST ensure that security controls are effective?

Options are :

  • Security metrics (Correct)
  • Risk assessment policies
  • User access rights
  • Return on security investment

Answer : Security metrics

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Options are :

  • Change the standard to permit the deployment
  • Enforce the existing security standard
  • Perform research to propose use of a better technology
  • Perform a risk analysis to quantify the risk (Correct)

Answer : Perform a risk analysis to quantify the risk

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

Options are :

  • Create separate policies to address each regulation
  • Develop a compliance risk assessment
  • Incorporate policy statements provided by regulators
  • Develop policies that meet all mandated requirements (Correct)

Answer : Develop policies that meet all mandated requirements

Acceptable levels of information security risk should be determined by:

Options are :

  • die steering committee. (Correct)
  • external auditors.
  • security management.
  • legal counsel.

Answer : die steering committee.

When designing an information security quarterly report to management, the MOST important element to be considered should be the:

Options are :

  • knowledge required to analyze each issue.
  • information security metrics
  • linkage to business area objectives (Correct)
  • baseline against which metrics are evaluated

Answer : linkage to business area objectives

Which of the following are likely to be updated MOST frequently?

Options are :

  • Procedures for hardening database servers (Correct)
  • Standards for password length and complexity
  • Policies addressing information security governance
  • Standards for document retention and destruction

Answer : Procedures for hardening database servers

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

Options are :

  • establish baseline standards for all locations and add supplemental standards as required. (Correct)
  • establish a baseline standard incorporating those requirements that all jurisdictions have in common.
  • bring all locations into conformity with a generally accepted set of industry best practices.
  • bring all locations into conformity with the aggregate requirements of all governmental jurisdictions

Answer : establish baseline standards for all locations and add supplemental standards as required.

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?

Options are :

  • Ability to manage a diverse group of individuals and resources across an organization
  • Ability to understand and map organizational needs to security technologies (Correct)
  • Knowledge of the regulatory environment and project management techniques
  • Knowledge of information technology platforms, networks and development methodologie

Answer : Ability to understand and map organizational needs to security technologies

Which of the following would be MOST effective in successfully implementing restrictive password policies?

Options are :

  • Single sign-on system
  • Security awareness program (Correct)
  • Penalties for noncompliance
  • Regular password audits

Answer : Security awareness program

Which of the following is the MOST important information to include in a strategic plan for information security?

Options are :

  • information security mission statement
  • Current state and desired future state (Correct)
  • Information security staffing requirements
  • IT capital investment requirements

Answer : Current state and desired future state

A good privacy statement should include:

Options are :

  • notification of liability on accuracy of information.
  • a description of the information classification process.
  • what the company will do with information it collects. (Correct)
  • notification that information will be encrypted.

Answer : what the company will do with information it collects.

Which of the following MOST commonly falls within the scope of an information security governance steering committee?

Options are :

  • Prioritizing information security initiatives (Correct)
  • Developing content for security awareness programs
  • Interviewing candidates for information security specialist positions
  • Approving access to critical financial systems

Answer : Prioritizing information security initiatives

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

Options are :

  • calculating return on investment (ROD projections (Correct)
  • assessing the frequency of incidents
  • comparing spending against similar organizations.
  • quantifying the cost of control failures.

Answer : calculating return on investment (ROD projections

Which of the following is the MOST important factor when designing information security architecture?

Options are :

  • Scalability of the network
  • Development methodologies
  • Stakeholder requirements (Correct)
  • Technical platform interfaces

Answer : Stakeholder requirements

Which of the following is responsible for legal and regulatory liability?

Options are :

  • Information security steering group
  • Board and senior management (Correct)
  • Chief legal counsel (CLC)
  • Chief security officer (CSO)

Answer : Board and senior management

From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?

Options are :

  • Better accountability (Correct)
  • Enhanced policy compliance
  • Segregation of duties
  • Improved procedure flows

Answer : Better accountability

Who should be responsible for enforcing access rights to application data?

Options are :

  • The security steering committee
  • Data owners
  • Security administrators (Correct)
  • Business process owners

Answer : Security administrators

While implementing information security governance an organization should FIRST:

Options are :

  • adopt security standards.
  • establish security policies.
  • define the security strategy. (Correct)
  • determine security baselines.

Answer : define the security strategy.

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

Options are :

  • Business impact analysis (BIA)
  • Risk assessment reports (Correct)
  • Security metrics reports
  • Return on security investment report

Answer : Risk assessment reports

Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

Options are :

  • Demonstrate that IT mitigating controls are in place
  • Ensure that all IT risks are identified
  • Suggest new IT controls to mitigate operational risk
  • Evaluate the impact of information security risks (Correct)

Answer : Evaluate the impact of information security risks

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

Options are :

  • chief technology officer (CTO).
  • legal counsel.
  • chief operations officer (COO). (Correct)
  • head of internal audit

Answer : chief operations officer (COO).

Which of the following is the MOST important information to include in an information security standard?

Options are :

  • Initial draft approval date
  • Author name
  • Last review date (Correct)
  • Creation date

Answer : Last review date

Information security projects should be prioritized on the basis of:

Options are :

  • total cost for implementation
  • time required for implementation.
  • impact on the organization (Correct)
  • mix of resources required.

Answer : impact on the organization

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

Options are :

  • Conduct disaster recovery test exercises
  • Update platform-level security settings
  • Develop an information security strategy paper (Correct)
  • Approve access to critical financial systems

Answer : Develop an information security strategy paper

Senior management commitment and support for information security can BEST be enhanced through:

Options are :

  • regular security awareness training for employees.
  • senior management signoff on the information security strategy
  • a formal security policy sponsored by the chief executive officer (CEO).
  • periodic review of alignment with business management goals (Correct)

Answer : periodic review of alignment with business management goals

Which of the following would BEST prepare an information security manager for regulatory reviews?

Options are :

  • Perform self-assessments using regulatory guidelines and reports (Correct)
  • Ensure all regulatory inquiries are sanctioned by the legal department
  • Assess previous regulatory reports with process owners input
  • Assign an information security administrator as regulatory liaison

Answer : Perform self-assessments using regulatory guidelines and reports

The MOST basic requirement for an information security governance program is to:

Options are :

  • be aligned with the corporate business strategy. (Correct)
  • provide best practices for security- initiatives.
  • be based on a sound risk management approach.
  • provide adequate regulatory compliance.

Answer : be aligned with the corporate business strategy.

The FIRST step in developing an information security management program is to:

Options are :

  • identify business risks that affect the organization.
  • assess adequacy of controls to mitigate business risks.
  • clarify organizational purpose for creating the program. (Correct)
  • assign responsibility for the program.

Answer : clarify organizational purpose for creating the program.

At what stage of the applications development process should the security department initially become involved?

Options are :

  • At testing
  • At detail requirements (Correct)
  • When requested
  • At programming

Answer : At detail requirements

Which of the following is MOST important in developing a security strategy?

Options are :

  • Creating a positive business security environment
  • Having a reporting line to senior management
  • Allocating sufficient resources to information security
  • Understanding key business objectives (Correct)

Answer : Understanding key business objectives

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

Options are :

  • Associating realistic threats to corporate objectives (Correct)
  • Analysis of current technological exposures
  • Statement of generally accepted best practices
  • Examples of genuine incidents at similar organizations

Answer : Associating realistic threats to corporate objectives

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

Options are :

  • prepare a security budget.
  • conduct a risk assessment. (Correct)
  • btain benchmarking information.
  • develop an information security policy.

Answer : conduct a risk assessment.

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

Options are :

  • Proportionality (Correct)
  • Ethics
  • Integration
  • Accountability

Answer : Proportionality

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions