Which of the following would best ensure success of information security governance within an organization?

Question 61

Which of the following BEST indicates an effective vulnerability management program?

Question 62

Which of the following would help management determine the resources needed to mitigate a risk to the organization?

Question 63

Which of the following would BEST ensure the success of information security governance within an organization?

Question 64

Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

Question 65

There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?

Which of the following BEST demonstrates that an organization supports information security governance?

A. Employees attend annual organization-wide security training.

B. Information security steering committee meetings are held regularly.

C. Information security policies are readily available to employees.

D. The incident response plan is documented and tested regularly.

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

A. The information security department has difficulty filling vacancies.

B. The chief information officer (CIO) approves security policy changes.

C. The information security oversight committee only meets quarterly.

D. The data center manager has final signoff on all security projects.

The MOST important component of a privacy policy is:

Options are :

• geographic coverage.
• notifications.
• liabilities.
• warranties

Answer : notifications.

CISM Information Security Governance Practice Test Set 4

Which of the following requirements would have the lowest level of priority in information security?

Options are :

• Technical
• Privacy
• Regulatory
• Business

Answer : Technical

Minimum standards for securing the technical infrastructure should be defined in a security:

Options are :

• strategy
• guidelines.
• architecture.
• model

Answer : architecture.

Information security governance is PRIMARILY driven by:

Options are :

• regulatory requirements.
• technology constraints.
• business strategy.
• litigation potential

Answer : business strategy.

CISM Information Security Program Management Practice Exam

Retention of business records should PRIMARILY be based on:

Options are :

• business ease and value analysis.
• regulatory and legal requirements.
• business strategy and direction.
• storage capacity and longevity

Answer : regulatory and legal requirements.

The cost of implementing a security control should not exceed the:

Options are :

• implementation opportunity costs.
• annualized loss expectancy.
• ost of an incident
• asset value

Answer : asset value

The PRIMARY goal in developing an information security strategy is to:

Options are :

• ensure that legal and regulatory requirements are met
• educate business process owners regarding their duties
• support the business objectives of the organization.
• establish security metrics and performance monitoring.

Answer : support the business objectives of the organization.

CISM Information Risk Management Certification

Which of the following represents the MAJOR focus of privacy regulations

Options are :

• Unrestricted data mining
• Human rights protection D.
• Identifiable personal data
• Identity theft

Answer : Identifiable personal data

Security technologies should be selected PRIMARILY on the basis of their:

Options are :

• use of new and emerging technologies.
• ability to mitigate business risks
• benefits in comparison to their costs.
• evaluations in trade publications.

Answer : ability to mitigate business risks

Which of the following should be the FIRST step in developing an information security plan?

Options are :

• Assess the current levels of security awareness
• Analyze the current business strategy
• Perform a business impact analysis
• Perform a technical vulnerabilities assessment

Answer : Analyze the current business strategy

CISM Information Risk Management Certification

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Options are :

• Benchmark peer organizations
• Develop a security architecture
• Assemble an experienced staff
• Establish good communication with steering committee members

Answer : Establish good communication with steering committee members

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

Options are :

• the responsibilities of organizational units.
• security needs
• organization wide metrics.
• organizational risk

Answer : organizational risk

Which of the following is MOST appropriate for inclusion in an information security strategy?

Options are :

• Budget estimates to acquire specific security tools
• Firewall rule sets, network defaults and intrusion detection system (IDS) settings
• Business controls designated as key controls
• Security processes, methods, tools and techniques

Answer : Security processes, methods, tools and techniques

CISM Information Risk Management Certification

Senior management commitment and support for information security can BEST be enhanced through:

Options are :

• regular security awareness training for employees.
• periodic review of alignment with business management goals
• a formal security policy sponsored by the chief executive officer (CEO).
• senior management signoff on the information security strategy

Answer : periodic review of alignment with business management goals

Which of the following would be the MOST important goal of an information security governance program?

Options are :

• Total elimination of risk factors
• Effective involvement in business decision making
• Review of internal control mechanisms
• Ensuring trust in data

Answer : Ensuring trust in data

Senior management commitment and support for information security can BEST be obtained through presentations that:

Options are :

• tie security risks to key business objectives.
• use illustrative examples of successful attacks.
• explain the technical risks to the organization.
• evaluate the organization against best security practices.

Answer : tie security risks to key business objectives.

CISM Information Security Governance Practice Test Set 1

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Options are :

• Information security manager
• Internal auditor
• Chief operating officer (COO)
• Legal counsel

Answer : Chief operating officer (COO)

Relationships among security technologies are BEST defined through which of the following?

Options are :

• Network topology
• Security architecture
• Process improvement models
• Security metrics

Answer : Security architecture

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Options are :

• Enforce the existing security standard
• Perform a risk analysis to quantify the risk
• Change the standard to permit the deployment
• Perform research to propose use of a better technology

Answer : Perform a risk analysis to quantify the risk

CISM Information Risk Management Certification Practice

When a security standard conflicts with a business objective, the situation should be resolved by:

Options are :

• performing a risk analysis
• performing a risk analysis
• changing the security standard.
• changing the business objective

Answer : performing a risk analysis

Which of the following is MOST likely to be discretionary?

Options are :

• Guidelines
• Standards
• Procedures
• Policies

Answer : Guidelines

Investments in information security technologies should be based on:

Options are :

• audit recommendations.
• value analysis
• business climate.
• vulnerability assessments.

Answer : value analysis

CISM Information Security Governance Practice Test Set 4

Which of the following are seldom changed in response to technological changes?

Options are :

• .Procedures
• Guidelines
• Standards
• Policies

Answer : Policies

Acceptable levels of information security risk should be determined by:

Options are :

• legal counsel.
• external auditors.
• security management.
• die steering committee.

Answer : die steering committee.

It is MOST important that information security architecture be aligned with which of the following?

Options are :

• Business objectives and goals
• Information technology plans
• Information security best practices
• Industry best practices

Answer : Business objectives and goals

CISM Information Risk Management Certification

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

Options are :

• Better adherence to policies
• More savings in total operating costs
• More uniformity in quality of service
• Better alignment to business unit needs

Answer : Better alignment to business unit needs

Which of the following would BEST ensure the success of information security governance within an organization?

Options are :

• Steering committees approve security projects
• Security policy training provided to all managers
• Steering committees enforce compliance with laws and regulations
• Security training available to all employees on the intranet

Answer : Steering committees approve security projects

The MOST appropriate role for senior management in supporting information security is the:

Options are :

• evaluation of vendors offering security products.
• monitoring adherence to regulatory requirements.
• approval of policy statements and funding.
• assessment of risks to the organization.

Answer : approval of policy statements and funding.

CISM Information Security Governance Certification Practice

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Options are :

• Chief operating officer (COO)
• Chief privacy officer (CPO)
• Chief legal counsel (CLC)
• Chief security officer (CSO)

Answer : Chief operating officer (COO)

Which of the following roles would represent a conflict of interest for an information security manager?

Options are :

• Evaluation of third parties requesting connectivity
• Monitoring adherence to physical security controls
• Assessment of the adequacy of disaster recovery plans
• Final approval of information security policies

Answer : Final approval of information security policies

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

Options are :

• The data center manager has final signoff on all security projects.
• The information security oversight committee only meets quarterly.
• The chief information officer (CIO) approves security policy changes.
• The information security department has difficulty filling vacancies.

Answer : The data center manager has final signoff on all security projects.

CISM Information Security Governance Practice Test Set 4

Successful implementation of information security governance will FIRST require:

Options are :

• a computer incident management team.
• updated security policies
• security awareness training
• a security architecture.

Answer : updated security policies

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

Options are :

• business strategy and direction.
• storage capacity and shelf life
• application systems and media.
• regulatory and legal requirements.

Answer : application systems and media.

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

Options are :

• Develop a compliance risk assessment
• Create separate policies to address each regulation
• Incorporate policy statements provided by regulators
• Develop policies that meet all mandated requirements

Answer : Develop policies that meet all mandated requirements

Cism Information Security Program Development Practice

Which of the following is characteristic of centralized information security management?

Options are :

• Faster turnaround of requests
• Better adherence to policies
• More expensive to administer
• More aligned with business unit needs

Answer : Better adherence to policies

Which of the following would be the most important goal of an information security governance program?

Which of the following should be reviewed to ensure that security controls are effective?

What is our information security governance primarily driven by?

Which of the following should be included in the information security strategy?