CISM Information Security Governance Certified Practice Exam

Senior management commitment and support for information security can BEST be obtained through presentations that:

Options are :

  • explain the technical risks to the organization.
  • use illustrative examples of successful attacks.
  • tie security risks to key business objectives. (Correct)
  • evaluate the organization against best security practices.

Answer : tie security risks to key business objectives.

Successful implementation of information security governance will FIRST require:

Options are :

  • a security architecture.
  • a computer incident management team.
  • updated security policies (Correct)
  • security awareness training

Answer : updated security policies

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

Options are :

  • regulatory and legal requirements.
  • business strategy and direction.
  • storage capacity and shelf life
  • application systems and media. (Correct)

Answer : application systems and media.

Which of the following are seldom changed in response to technological changes?

Options are :

  • Guidelines
  • Policies (Correct)
  • .Procedures
  • Standards

Answer : Policies

Which of the following roles would represent a conflict of interest for an information security manager?

Options are :

  • Monitoring adherence to physical security controls
  • Final approval of information security policies (Correct)
  • Evaluation of third parties requesting connectivity
  • Assessment of the adequacy of disaster recovery plans

Answer : Final approval of information security policies

Which of the following would be the MOST important goal of an information security governance program?

Options are :

  • Effective involvement in business decision making
  • Review of internal control mechanisms
  • Total elimination of risk factors
  • Ensuring trust in data (Correct)

Answer : Ensuring trust in data

Which of the following is MOST likely to be discretionary?

Options are :

  • Policies
  • Guidelines (Correct)
  • Procedures
  • Standards

Answer : Guidelines

Investments in information security technologies should be based on:

Options are :

  • vulnerability assessments.
  • value analysis (Correct)
  • audit recommendations.
  • business climate.

Answer : value analysis

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Options are :

  • Benchmark peer organizations
  • Assemble an experienced staff
  • Establish good communication with steering committee members (Correct)
  • Develop a security architecture

Answer : Establish good communication with steering committee members

Retention of business records should PRIMARILY be based on:

Options are :

  • business ease and value analysis.
  • business strategy and direction.
  • storage capacity and longevity
  • regulatory and legal requirements. (Correct)

Answer : regulatory and legal requirements.

Relationships among security technologies are BEST defined through which of the following?

Options are :

  • Process improvement models
  • Security architecture (Correct)
  • Network topology
  • Security metrics

Answer : Security architecture

It is MOST important that information security architecture be aligned with which of the following?

Options are :

  • Business objectives and goals (Correct)
  • Information security best practices
  • Industry best practices
  • Information technology plans

Answer : Business objectives and goals

The MOST appropriate role for senior management in supporting information security is the:

Options are :

  • assessment of risks to the organization.
  • approval of policy statements and funding. (Correct)
  • evaluation of vendors offering security products.
  • monitoring adherence to regulatory requirements.

Answer : approval of policy statements and funding.

Which of the following requirements would have the lowest level of priority in information security?

Options are :

  • Regulatory
  • Technical (Correct)
  • Privacy
  • Business

Answer : Technical

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

Options are :

  • Better alignment to business unit needs (Correct)
  • Better adherence to policies
  • More savings in total operating costs
  • More uniformity in quality of service

Answer : Better alignment to business unit needs

Information security governance is PRIMARILY driven by:

Options are :

  • regulatory requirements.
  • business strategy. (Correct)
  • litigation potential
  • technology constraints.

Answer : business strategy.

Which of the following is MOST appropriate for inclusion in an information security strategy?

Options are :

  • Security processes, methods, tools and techniques (Correct)
  • Business controls designated as key controls
  • Firewall rule sets, network defaults and intrusion detection system (IDS) settings
  • Budget estimates to acquire specific security tools

Answer : Security processes, methods, tools and techniques

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Options are :

  • Legal counsel
  • Information security manager
  • Chief operating officer (COO) (Correct)
  • Internal auditor

Answer : Chief operating officer (COO)

Which of the following should be the FIRST step in developing an information security plan?

Options are :

  • Perform a business impact analysis
  • Analyze the current business strategy (Correct)
  • Assess the current levels of security awareness
  • Perform a technical vulnerabilities assessment

Answer : Analyze the current business strategy

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

Options are :

  • The chief information officer (CIO) approves security policy changes.
  • The data center manager has final signoff on all security projects. (Correct)
  • The information security department has difficulty filling vacancies.
  • The information security oversight committee only meets quarterly.

Answer : The data center manager has final signoff on all security projects.

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Options are :

  • Chief legal counsel (CLC)
  • Chief privacy officer (CPO)
  • Chief security officer (CSO)
  • Chief operating officer (COO) (Correct)

Answer : Chief operating officer (COO)

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

Options are :

  • organizational risk (Correct)
  • the responsibilities of organizational units.
  • organization wide metrics.
  • security needs

Answer : organizational risk

The MOST important component of a privacy policy is:

Options are :

  • geographic coverage.
  • liabilities.
  • warranties
  • notifications. (Correct)

Answer : notifications.

Which of the following represents the MAJOR focus of privacy regulations

Options are :

  • Human rights protection D.
  • Identifiable personal data (Correct)
  • Unrestricted data mining
  • Identity theft

Answer : Identifiable personal data

Security technologies should be selected PRIMARILY on the basis of their:

Options are :

  • ability to mitigate business risks (Correct)
  • evaluations in trade publications.
  • benefits in comparison to their costs.
  • use of new and emerging technologies.

Answer : ability to mitigate business risks

Which of the following would BEST ensure the success of information security governance within an organization?

Options are :

  • Steering committees enforce compliance with laws and regulations
  • Security policy training provided to all managers
  • Security training available to all employees on the intranet
  • Steering committees approve security projects (Correct)

Answer : Steering committees approve security projects

The cost of implementing a security control should not exceed the:

Options are :

  • ost of an incident
  • asset value (Correct)
  • implementation opportunity costs.
  • annualized loss expectancy.

Answer : asset value

When a security standard conflicts with a business objective, the situation should be resolved by:

Options are :

  • changing the business objective
  • changing the security standard.
  • performing a risk analysis (Correct)
  • performing a risk analysis

Answer : performing a risk analysis

Minimum standards for securing the technical infrastructure should be defined in a security:

Options are :

  • architecture. (Correct)
  • model
  • strategy
  • guidelines.

Answer : architecture.

Which of the following is characteristic of centralized information security management?

Options are :

  • Better adherence to policies (Correct)
  • More expensive to administer
  • Faster turnaround of requests
  • More aligned with business unit needs

Answer : Better adherence to policies

The PRIMARY goal in developing an information security strategy is to:

Options are :

  • educate business process owners regarding their duties
  • establish security metrics and performance monitoring.
  • ensure that legal and regulatory requirements are met
  • support the business objectives of the organization. (Correct)

Answer : support the business objectives of the organization.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

Options are :

  • based on the current rate of technological change.
  • aligned with the IT strategic plan.
  • three-to-five years for both hardware and software.
  • aligned with the business strategy. (Correct)

Answer : aligned with the business strategy.

Information security policy enforcement is the responsibility of the:

Options are :

  • chief information security officer (CISO). (Correct)
  • chief compliance officer (CCO).
  • security steering committee
  • chief information officer (CIO).

Answer : chief information security officer (CISO).

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions