CISM TEST 1

Information security governance is PRIMARILY driven by: Technology constraints. Regulatory Requirements. Litigation Potential. Business Strategy.

Investment in information security technologies should be based on: Vulnerability Assessments. Value Analysis. Business Climate. Audit Recommendations.

When a security standard conflicts with a business objective, the situation should be resolved by: Changing the security standard. Changing the business objective. Performing a risk analysis. Authorizing a risk acceptance.

It is MOST important that information security architecture be aligned with which of the following?. Industry best practices. Information Technology Plans. Information security best practices. Business objectives and goals.

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?. The information security department has difficulty filling vacancies. The chief information officer (CIO) approves security policy changes. The information security oversight committee only meets quarterly. The data center manager has final signoff on all security projects.

Which of the following would BEST prepare an information security manager for regulatory reviews?. Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and reports. Assess previous regulatory reports with process owners input. Ensure all regulatory inquiries are sanctioned by the legal department.

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager user to BEST convey a sense of urgency to management?. Security Metrics Reports. Risk Assessment reports. Business impact analysis (BIA). Return on security investment report.

At what stage of the applications development process should the security department initially become involved?. When Requested. At testing. At programming. At detail requirements.

Relationships among security technologies are BEST defined through which of the following?. Security Metrics. Network Topology. Security Architecture. Process improvement models.

What is the PRIMARY role of the information security manager in the process of information classification within an organization?. Defining and ratifying the classification structure of information assets. Deciding the classification levels applied to the organization’s information assets. Securing information assets in accordance with their classification. Checking if information assets have been classified properly.

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?. Ethics. Proportionality. Integration. Accountability.

In order to highlight to management, the importance of integrating information security in the business process, a newly hired information security officer should FIRST: Prepare a security budget. Conduct a risk assessment. Develop an information security policy. Obtain benchmarking information.

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: It implies compliance Risks. Short-term impact cannot be determined. It violates industry security practices. Changes in the roles matrix cannot be detected.

An outcome of effective security governance is: Business dependency assessment. Strategic Alignment. Risk Assessment. Planning.

How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation?. Give organization standards preference over local regulations. Follow local regulations only. Make the organization aware of those standards where local regulations causes conflicts. Negotiate a local version of the organization standards.

Who should drive the risk analysis for an organization?. Senior Management. Security Manager. Quality Manager. Legal Department.

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?. Risk Assessment report. Technical Evaluation Report. Business Case. Budgetary Requirements.

To achieve strategic alignment of security initiatives, it is important that: Steering committee leadership be selected by rotation. Inputs be obtained and consensus achieved between the major organizational units. The business strategy be updated periodically. Procedures and standards be approved by all departmental heads.

An information security strategy document that includes specific links to an organization’s business activities is PRIMARILY an indicator of: Performance Measurement. Integration. Alignment. Value Delivery.

When an organization is setting up a relationship with a third-party IT service provider, which of the following is on the MOST important topics to include in the contract from a security standpoint?. Compliance with international security standards. Use of a two-factor authentication system. Existence of an alternate hot site in case of business disruption. Compliance with the organization’s information security requirements.

The MOST useful way to describe the objectives in the information security strategy is through: Attributes and characteristics of the 'desired state'. Overall control objectives of the security program. Mapping the IT systems to key business processes. Calculation of Annual loss expectations.

When developing an information security program. What is the MOST useful source of information for determining available resources?. Proficiency Test. Job Descriptions. Organization Chart. Skills Inventory.

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information Security program?. Representation by regional business leaders. Composition of the board. Cultures of the different countries. IT security Skills.

Which of the following is the BEST justification to convince management to invest in an information security program?. Cost Reduction. Compliance with company policies. Protection of business assets. Increased Business value.

Which of the following Best contributes to the development of a security governance framework that supports the maturity model concept?. Continuous analysis, monitoring and feedback. Continuous monitoring of the return on security investment (ROSD). Continuous risk reduction. Key Risk Indicator (KRD) setup to security management processes.

Which of the following is the BEST advantage of a centralized information security organizational structure?. It allows for a common level of assurance across the enterprise. It is easier to manage and control business unit security teams. It is more responsive to business unit needs. It provides a faster turnaround for security waiver requests.

Which of the following would help to change an organization’s security culture?. Develop procedures to enforce the information security policy. Obtain strong management support. Implement strict technical security controls. Periodically audit compliance with the information security policy.

The BEST way to justify the implementation of a single sign-on (SSO) product is to use: Return on investment (ROD). Vulnerability Assessment. Annual loss expectancy (ALE). A business case.

The FIRST step in establishing a security governance program is to: Conduct a risk assessment. Conduct a workshop for all end users. Prepare a security budget. Obtain high-level sponsorship.

Which of the following is a benefit of information security governance?. Reduction of the potential for civil or legal liability. Questioning trust in vendor relationships. Increasing the risk of decisions based on incomplete management information. Direct involvement of senior management in developing control processes.

The organization has decided to outsource the majority of the IT department with vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?. Laws and regulations of the country origin may not be enforceable in the foreign country. A security breach notification might get delayed due to the time difference. Additional network intrusion detection sensors should be installed, resulting in an additional cost. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

11. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?. Acceptance of the business manager’s decision on the risk to the corporation. Acceptance of the information security manager’s decision on the risk to the corporation. Review of the assessment with executive management for final input. A new risk assessment and BIA are needed to resolve the disagreement.

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?. The security Officer. Senior management. The end user. The custodian.

Which of the following is the BEST reason to perform a business impact analysis (BIA)?. To help determine the current state of risk. To budget appropriately for needed controls. To satisfy regulatory requirements. To analyze the effect on the business.

The effectiveness of an information security governance framework will BEST be enhanced if: IS auditors are empowered to evaluate government activities. Risk management is built into operational and strategic activities. A culture of legal and regulatory compliance is promoted by management. Consultants review the information security governance framework.

The effectiveness of the information security process is reduced when an outsourcing organization: Is responsible for information security governance activities. Receives additional revenue when security service levels are met. Incurs Penalties for failure to meet security service-level agreements. Standardizes on a single access-control software product.

Which of the following is the MOST important reason for an organization to develop an information security governance program?. Establishment of accountability. Compliance with audit requirements. Monitoring of security incidents. Creation of tactical solutions.

The PRIMARY goal of information security governance to an organization is to: Align with business processes. Align with business objectives. Establish a security strategy. Manage security costs.

Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework?. Integrating security requirements with processes. Performing security assessments and gap analysis. Conducting a business impact analysis (BIA). Conducting information security awareness training.

After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?. Risk Heat Map. Recent Audit results. Balanced Scorecard. Gap Analysis.

Which of the following is the BEST way to align security and business strategies?. Include security risk as part of corporate risk management. Develop a balanced scorecard for security. Establish key performance indicators (KPIs) for business through security processes. Integrate information security governance into corporate governance.

Which of the following is the MOST effective way for senior management to support the integration of information security governance into corporate governance?. Develop the information security strategy based on the enterprise strategy. Appoint a business manager as head of information security. Promote organization-wide information security awareness campaign. Establish a steering committee with representation from across the organization.

When establishing an information security governance framework, it is MOST important for an information security manager to understand: The regulatory environment. Information security best practices. The corporate culture. Risk management techniques.

Which of the following is a PRIMARY responsibility of an information security governance committee?. Analyzing information security policy compliance reviews. Approving the purchase of information security technologies. Reviewing the information security strategy. Approving the information security awareness training strategy.

An information security manager discovers that the organization’s new information security policy is not being followed across all departments. Which of the following should be of GREATEST concern to the information security manager?. Different communication methods may be required for each business unit. Business unit management has not emphasized the importance of the new policy. Business unit management has not emphasized the importance of the new policy. The wording of the policy is not tailored to the audience.

An organization has detected potential risk emerging from noncompliance with new regulations in its industry. Which of the following is the MOST important reason to report this situation to senior management?. The risk profile needs to be updated. An external review of the risk needs to be conducted. Specific monitoring controls need to be implemented. A benchmark analysis needs to be performed.