CISM Flashcards
Which of the following BEST indicates an effective vulnerability management program?
A. Security incidents are reported in a timely manner.
B. Threats are identified accurately.
C. Controls are managed proactively. Most Voted
D. Risks are managed within acceptable limits.
D. Risks are managed within acceptable limits.
An information security manager discovers that the organization’s new information security policy is not being followed across all departments. Which of the following should be of GREATEST concern to the information security manager?
A. Business unit management has not emphasized the importance of the new policy.
B. Different communication methods may be required for each business unit.
C. The wording of the policy is not tailored to the audience.
D. The corresponding controls are viewed as prohibitive to business operations.
A. Business unit management has not emphasized the importance of the new policy.
Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?
A. To ensure that the mitigation effort does not exceed the asset value
B. To ensure that benefits are aligned with business strategies
C. To present a realistic information security budget
D. To justify information security program activities
B. To ensure that benefits are aligned with business strategies
Which of the following information BEST supports risk management decision making?
A. Results of a vulnerability assessment
B. Estimated savings resulting from reduced risk exposure
C. Average cost of risk events
D. Quantification of threats through threat modeling
Estimated savings resulting from reduced risk exposure
Which of the following should be the PRIMARY driver for selecting and implementing appropriate controls to address the risk associated with weak user passwords?
A. The organization’s risk tolerance
B. The organization’s culture
C. The cost of risk mitigation controls
D. Direction from senior management
The organization’s risk tolerance
Which of the following is BEST determined by using technical metrics?
A. Whether controls are operating effectively
B. How well security risk is being managed
C. Whether security resources are adequately allocated
D. How well the security strategy is aligned with organizational objectives
Whether controls are operating effectively
The use of a business case to obtain funding for an information security investment is MOST effective when the business case:
A. relates the investment to the organization’s strategic plan.
B. realigns information security objectives to organizational strategy.
C. articulates management’s intent and information security directives in clear language.
D. translates information security policies and standards into business requirements.
realigns information security objectives to organizational strategy.
Recovery time objectives (RTOs) are an output of which of the following?
A. Business continuity plan (BCP)
B. Business impact analysis (BIA)
C. Service level agreement (SLA)
D. Disaster recovery plan (DRP)
Business impact analysis (BIA)
Which of the following is the MOST relevant information to include in an information security risk report to facilitate senior management’s understanding of impact to the organization?
A. Detailed assessment of the security risk profile
B. Risks inherent in new security technologies
C. Findings from recent penetration testing
D. Status of identified key security risks
Status of identified key security risks
Which of the following is the BEST way to determine if a recent investment in access control software was successful?
A. Senior management acceptance of the access control software
B. A comparison of security incidents before and after software installation
C. A business impact analysis (BIA) of the systems protected by the software
D. A review of the number of key risk indicators (KRIs) implemented for the software
A business impact analysis (BIA) of the systems protected by the software
Which of the following should be an information security manager’s MOST important criterion for determining when to review the incident response plan?
A. When recovery time objectives (RTOs) are not met
B. When missing information impacts recovery from an incident
C. Before an internal audit of the incident response process
D. At intervals indicated by industry best practice
At intervals indicated by industry best practice
During which stage of the software development life cycle (SDLC) should application security controls FIRST be addressed?
A. Software code development
B. Configuration management
C. Requirements gathering
D. Application system design
C. Requirements gathering
Which of the following is PRIMARILY influenced by a business impact analysis (BIA)?
A. Recovery strategy
B. Risk mitigation strategy
C. Security strategy
D. IT strategy
Recovery strategy
To set security expectations across the enterprise, it is MOST important for the information security policy to be regularly reviewed and endorsed by:
A. security administrators.
B. senior management.
C. the chief information security officer (CISO).
D. the IT steering committee.
senior management.
An information security manager notes that security incidents are not being appropriately escalated by the help desk after tickets are logged. Which of the following is the BEST automated control to resolve this issue?
A. Integrating automated service level agreement (SLA) reporting into the help desk ticketing system
B. Changing the default setting for all security incidents to the highest priority
C. Integrating incident response workflow into the help desk ticketing system
D. Implementing automated vulnerability scanning in the help desk workflow
C. Integrating incident response workflow into the help desk ticketing system