Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISM Study Questions B > CISM Practice B Topic 1 > Flashcards

CISM Practice B Topic 1 Flashcards

1
Q

Which of the following should be the FIRST step in developing an information security plan?

Perform a technical vulnerabilities assessment

Analyze the current business strategy

Perform a business impact analysis

Assess the current levels of security awareness

A

Analyze the current business strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Senior management commitment and support for information security can BEST be obtained through presentations that:

use illustrative examples of successful attacks.

explain the technical risks to the organization.

evaluate the organization against best security practices.

tie security risks to key business objectives.

A

tie security risks to key business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The MOST appropriate role for senior management in supporting information security is the:

evaluation of vendors offering security products.

assessment of risks to the organization.

approval of policy statements and funding.

monitoring adherence to regulatory requirements.

A

approval of policy statements and funding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following would BEST ensure the success of information security governance within an organization?

Steering committees approve security projects

Security policy training provided to all managers

Security training available to all employees on the intranet

Steering committees enforce compliance with laws and regulations

A

Steering committees approve security projects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information security governance is PRIMARILY driven by:

technology constraints.

regulatory requirements.

litigation potential.

business strategy.

A

business strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following represents the MAJOR focus of privacy regulations?

Unrestricted data mining

Identity theft

Human rights protection

Identifiable personal data

A

Identifiable personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Investments in information security technologies should be based on:

vulnerability assessments.

value analysis.

business climate.

audit recommendations.

A

value analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Retention of business records should PRIMARILY be based on:

business strategy and direction.

regulatory and legal requirements.

storage capacity and longevity.

business case and value analysis.

A

regulatory and legal requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is characteristic of centralized information security management?

More expensive to administer

Better adherence to policies

More aligned with business unit needs

Faster turnaround of requests

A

Better adherence to policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Successful implementation of information security governance will FIRST require:

security awareness training.

updated security policies.

a computer incident management team.

a security architecture.

A

updated security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Information security manager

Chief operating officer (COO)

Internal auditor

Legal counsel

A

Chief operating officer (COO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The MOST important component of a privacy policy is:

notifications.

warranties.

liabilities.

geographic coverage.

A

notifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The cost of implementing a security control should not exceed the:

annualized loss expectancy.

cost of an incident.

asset value.

implementation opportunity costs

A

asset value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When a security standard conflicts with a business objective, the situation should be resolved by:

changing the security standard.

changing the business objective.

performing a risk analysis.

authorizing a risk acceptance.

A

performing a risk analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Minimum standards for securing the technical infrastructure should be defined in a security:

strategy.

guidelines.

model.

architecture.

A

architecture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is MOST appropriate for inclusion in an information security strategy?

Business controls designated as key controls

Security processes, methods, tools and techniques

Firewall rule sets, network defaults and intrusion detection system (IDS) settings

Budget estimates to acquire specific security tools

A

Security processes, methods, tools and techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

organizational risk.

organization wide metrics.

security needs.

the responsibilities of organizational units.

A

organizational risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following roles would represent a conflict of interest for an information security manager?

Evaluation of third parties requesting connectivity

Assessment of the adequacy of disaster recovery plans

Final approval of information security policies

Monitoring adherence to physical security controls

A

Final approval of information security policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

The information security department has difficulty filling vacancies.

The chief information officer (CIO) approves security policy changes.

The information security oversight committee only meets quarterly.

The data center manager has final signoff on all security projects.

A

The data center manager has final signoff on all security projects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following requirements would have the lowest level of priority in information security?

Technical

Regulatory

Privacy

Business

A

Technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Develop a security architecture

Establish good communication with steering committee members

Assemble an experienced staff

Benchmark peer organizations

A

Establish good communication with steering committee members

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

It is MOST important that information security architecture be aligned with which of the following?

Industry best practices

Information technology plans

Information security best practices

Business objectives and goals

A

Business objectives and goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following is MOST likely to be discretionary?

Policies

Procedures

Guidelines

Standards

A

Guidelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Security technologies should be selected PRIMARILY on the basis of their:

ability to mitigate business risks.

evaluations in trade publications.

use of new and emerging technologies.

benefits in comparison to their costs.

A

ability to mitigate business risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following are seldom changed in response to technological changes?

Standards

Procedures

Policies

Guidelines

A

Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

storage capacity and shelf life.

regulatory and legal requirements.

business strategy and direction.

application systems and media.

A

application systems and media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

More uniformity in quality of service

Better adherence to policies

Better alignment to business unit needs

More savings in total operating costs

A

Better alignment to business unit needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Chief security officer (CSO)

Chief operating officer (COO)

Chief privacy officer (CPO)

Chief legal counsel (CLC)

A

Chief operating officer (COO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following would be the MOST important goal of an information security governance program?

Review of internal control mechanisms

Effective involvement in business decision making

Total elimination of risk factors

Ensuring trust in data

A

Ensuring trust in data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Relationships among security technologies are BEST defined through which of the following?

Security metrics

Network topology

Security architecture

Process improvement models

A

Security architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Enforce the existing security standard

Change the standard to permit the deployment

Perform a risk analysis to quantify the risk

Perform research to propose use of a better technology

A

Perform a risk analysis to quantify the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Acceptable levels of information security risk should be determined by:

legal counsel.

security management.

external auditors.

the steering committee.

A

the steering committee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The PRIMARY goal in developing an information security strategy is to:

  • establish security metrics and performance monitoring.
  • educate business process owners regarding their duties.
  • ensure that legal and regulatory requirements are met
  • support the business objectives of the organization.
A

support the business objectives of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Senior management commitment and support for information security can BEST be enhanced through:

a formal security policy sponsored by the chief executive officer (CEO).

regular security awareness training for employees.

periodic review of alignment with business management goals.

senior management signoff on the information security strategy.

A

periodic review of alignment with business management goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

Create separate policies to address each regulation

Develop policies that meet all mandated requirements

Incorporate policy statements provided by regulators

Develop a compliance risk assessment

A

Develop policies that meet all mandated requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following MOST commonly falls within the scope of an information security governance steering committee?

Interviewing candidates for information security specialist positions

Developing content for security awareness programs

Prioritizing information security initiatives

Approving access to critical financial systems

A

Prioritizing information security initiatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Which of the following is the MOST important factor when designing information security architecture?

Technical platform interfaces

Scalability of the network

Development methodologies

Stakeholder requirements

A

Stakeholder requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?

Knowledge of information technology platforms, networks and development methodologies

Ability to understand and map organizational needs to security technologies

Knowledge of the regulatory environment and project management techniques

Ability to manage a diverse group of individuals and resources across an organization

A

Ability to understand and map organizational needs to security technologies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which of the following are likely to be updated MOST frequently?

Procedures for hardening database servers

Standards for password length and complexity

Policies addressing information security governance

Standards for document retention and destruction

A

Procedures for hardening database servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Who should be responsible for enforcing access rights to application data?

Data owners

Business process owners

The security steering committee

Security administrators

A

Security administrators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

head of internal audit.

chief operations officer (COO).

chief technology officer (CTO).

legal counsel.

A

chief operations officer (COO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

Update platform-level security settings

Conduct disaster recovery test exercises

Approve access to critical financial systems

Develop an information security strategy paper

A

Develop an information security strategy paper

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

assessing the frequency of incidents.

quantifying the cost of control failures.

calculating return on investment (ROI) projections.

comparing spending against similar organizations.

A

calculating return on investment (ROI) projections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

aligned with the IT strategic plan.

based on the current rate of technological change.

three-to-five years for both hardware and software.

aligned with the business strategy.

A

aligned with the business strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Which of the following is the MOST important information to include in a strategic plan for information security?

Information security staffing requirements

Current state and desired future state

IT capital investment requirements

Information security mission statement

A

Current state and desired future state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Information security projects should be prioritized on the basis of:

time required for implementation.

impact on the organization.

total cost for implementation.

mix of resources required.

A

impact on the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which of the following is the MOST important information to include in an information security standard?

Creation date

Author name

Initial draft approval date

Last review date

A

Last review date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Which of the following would BEST prepare an information security manager for regulatory reviews?

Assign an information security administrator as regulatory liaison

Perform self-assessments using regulatory guidelines and reports

Assess previous regulatory reports with process owners input

Ensure all regulatory inquiries are sanctioned by the legal department

A

Perform self-assessments using regulatory guidelines and reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

  • bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
  • establish baseline standards for all locations and add supplemental standards as required.
  • bring all locations into conformity with a generally accepted set of industry best practices.
  • establish a baseline standard incorporating those requirements that all jurisdictions have in common.
A

establish baseline standards for all locations and add supplemental standards as required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Which of the following BEST describes an information security manager’s role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

Ensure that all IT risks are identified

Evaluate the impact of information security risks

Demonstrate that IT mitigating controls are in place

Suggest new IT controls to mitigate operational risk

A

Evaluate the impact of information security risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities?

Enhanced policy compliance

Improved procedure flows

Segregation of duties

Better accountability

A

Better accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

Security metrics reports

Risk assessment reports

Business impact analysis (BIA)

Return on security investment report

A

Risk assessment reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Reviewing which of the following would BEST ensure that security controls are effective?

Risk assessment policies

Return on security investment

Security metrics

User access rights

A

Security metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Which of the following is responsible for legal and regulatory liability?

Chief security officer (CSO)

Chief legal counsel (CLC)

Board and senior management

Information security steering group

A

Board and senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

While implementing information security governance an organization should FIRST:

adopt security standards.

determine security baselines.

define the security strategy.

establish security policies.

A

define the security strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Information security policy enforcement is the responsibility of the:

security steering committee.

chief information officer (CIO).

chief information security officer (CISO).

chief compliance officer (CCO).

A

chief information security officer (CISO).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

A good privacy statement should include:

notification of liability on accuracy of information.

notification that information will be encrypted.

what the company will do with information it collects.

a description of the information classification process

A

what the company will do with information it collects.

58
Q

Which of the following would be MOST effective in successfully implementing restrictive password policies?

Regular password audits

Single sign-on system

Security awareness program

Penalties for noncompliance

A

Security awareness program

59
Q

When designing an information security quarterly report to management, the MOST important element to be considered should be the:

information security metrics.

knowledge required to analyze each issue.

linkage to business area objectives.

baseline against which metrics are evaluated.

A

linkage to business area objectives.

60
Q

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

corporate data privacy policy.

data privacy policy where data are collected.

data privacy policy of the headquarters’ country.

data privacy directive applicable globally.

A

data privacy policy where data are collected.

61
Q

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

meet with stakeholders to decide how to comply.

analyze key risks in the compliance process.

assess whether existing controls meet the regulation.

update the existing security/privacy policy

A

assess whether existing controls meet the regulation.

62
Q

The PRIMARY objective of a security steering group is to:

  • ensure information security covers all business functions.
  • ensure information security aligns with business goals.
  • raise information security awareness across the organization.
  • implement all decisions on security management across the organization
A

ensure information security aligns with business goals.

63
Q

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

baseline.

strategy.

procedure.

policy.

A

policy.

64
Q

At what stage of the applications development process should the security department initially become involved?

When requested

At testing

At programming

At detail requirements

A

At detail requirements

65
Q

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

Examples of genuine incidents at similar organizations

Statement of generally accepted best practices

Associating realistic threats to corporate objectives

Analysis of current technological exposures

A

Associating realistic threats to corporate objectives

66
Q

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

generally accepted industry best practices.

business requirements.

legislative and regulatory requirements.

storage availability.

A

business requirements.

67
Q

When personal information is transmitted across networks, there MUST be adequate controls over:

change management.

privacy protection.

consent to data transfer.

encryption devices.

A

privacy protection.

68
Q

An organization’s information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

ensure that security processes are consistent across the organization.

enforce baseline security levels across the organization.

ensure that security processes are fully documented.

implement monitoring of key performance indicators for security processes.

A

ensure that security processes are consistent across the organization.

69
Q

Who in an organization has the responsibility for classifying information?

Data custodian

Database administrator

Information security officer

Data owner

A

Data owner

70
Q

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

Defining and ratifying the classification structure of information assets

Deciding the classification levels applied to the organization’s information assets

Securing information assets in accordance with their classification

Checking if information assets have been classified properly

A

Defining and ratifying the classification structure of information assets

71
Q

Logging is an example of which type of defense against systems compromise?

Containment

Detection

Reaction

Recovery

A

Detection

72
Q

Which of the following is MOST important in developing a security strategy?

Creating a positive business security environment

Understanding key business objectives

Having a reporting line to senior management

Allocating sufficient resources to information security

A

Understanding key business objectives

73
Q

Who is ultimately responsible for the organization’s information?

Data custodian

Chief information security officer (CISO)

Board of directors

Chief information officer (CIO)

A

Board of directors

74
Q

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

Alignment with industry best practices

Business continuity investment

Business benefits

Regulatory compliance

A

Regulatory compliance

75
Q

A security manager meeting the requirements for the international flow of personal data will need to ensure:

a data processing agreement.

a data protection registration.

the agreement of the data subjects.

subject access procedures.

A

the agreement of the data subjects.

76
Q

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

Ethics

Proportionality

Integration

Accountability

A

Proportionality

77
Q

Which of the following is the MOST important prerequisite for establishing information securitymanagement within an organization?

Senior management commitment

Information security framework

Information security organizational structure

Information security policy

A

Senior management commitment

78
Q

What will have the HIGHEST impact on standard information security governance models?

Number of employees

Distance between physical locations

Complexity of organizational structure

Organizational budget

A

Complexity of organizational structure

79
Q

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

prepare a security budget.

conduct a risk assessment.

develop an information security policy.

obtain benchmarking information.

A

conduct a risk assessment.

80
Q

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

it implies compliance risks.

short-term impact cannot be determined.

it violates industry security practices.

changes in the roles matrix cannot be detected.

A

it implies compliance risks.

81
Q

An outcome of effective security governance is:

business dependency assessment

strategic alignment.

risk assessment.

planning.

A

strategic alignment.

82
Q

How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation?

Give organization standards preference over local regulations

Follow local regulations only

Make the organization aware of those standards where local regulations causes conflicts

Negotiate a local version of the organization standards

A

Negotiate a local version of the organization standards

83
Q

Who should drive the risk analysis for an organization?

Senior management

Security manager

Quality manager

Legal department

A

Security manager

84
Q

The FIRST step in developing an information security management program is to:

  • identify business risks that affect the organization.
  • clarify organizational purpose for creating the program.
  • assign responsibility for the program.
  • assess adequacy of controls to mitigate business risks
A

clarify organizational purpose for creating the program.

85
Q

Which of the following is the MOST important to keep in mind when assessing the value of information?

The potential financial loss

The cost of recreating the information

The cost of insurance coverage

Regulatory requirement

A

The potential financial loss

86
Q

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

Risk assessment report

Technical evaluation report

Business case

Budgetary requirements

A

Business case

87
Q

To justify its ongoing security budget, which of the following would be of MOST use to the information security department?

Security breach frequency

Annualized loss expectancy (ALE)

Cost-benefit analysis

Peer group comparison

A

Cost-benefit analysis

88
Q

Which of the following situations would MOST inhibit the effective implementation of security governance:

The complexity of technology

Budgetary constraints

Conflicting business priorities

High-level sponsorship

A

High-level sponsorship

89
Q

To achieve effective strategic alignment of security initiatives, it is important that:

Steering committee leadership be selected by rotation.

Inputs be obtained and consensus achieved between the major organizational units.

The business strategy be updated periodically.

Procedures and standards be approved by all departmental heads.

A

Inputs be obtained and consensus achieved between the major organizational units.

90
Q

What would be the MOST significant security risks when using wireless local area network (LAN) technology?

Man-in-the-middle attack

Spoofing of data packets

Rogue access point

Session hijacking

A

Rogue access point

91
Q

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

Business management

Operations manager

Information security manager

System users

A

Information security manager

92
Q

In implementing information security governance, the information security manager is PRIMARILY responsible for:

developing the security strategy.

reviewing the security strategy.

communicating the security strategy.

approving the security strategy

A

developing the security strategy.

93
Q

An information security strategy document that includes specific links to an organization’s business activities is PRIMARILY an indicator of:

performance measurement.

integration.

alignment.

value delivery.

A

alignment.

94
Q

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

Compliance with international security standards.

Use of a two-factor authentication system.

Existence of an alternate hot site in case of business disruption.

Compliance with the organization’s information security requirements

A

Compliance with the organization’s information security requirements

95
Q

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

review the functionalities and implementation requirements of the solution.

review comparison reports of tool implementation in peer companies.

provide examples of situations where such a tool would be useful.

substantiate the investment in meeting organizational needs.

A

substantiate the investment in meeting organizational needs.

96
Q

The MOST useful way to describe the objectives in the information security strategy is through:

attributes and characteristics of the “desired state.”

overall control objectives of the security program.

mapping the IT systems to key business processes.

calculation of annual loss expectations.

A

attributes and characteristics of the “desired state.”

97
Q

In order to highlight to management the importance of network security, the security manager should FIRST:

  • develop a security architecture.
  • install a network intrusion detection system (NIDS) and prepare a list of attacks.
  • develop a network security policy.
  • conduct a risk assessment.
A

conduct a risk assessment.

98
Q

When developing an information security program, what is the MOST useful source of information for determining available resources?

Proficiency test

Job descriptions

Organization chart

Skills inventory

A

Skills inventory

99
Q

The MOST important characteristic of good security policies is that they:

state expectations of IT management.

state only one general security mandate.

are aligned with organizational goals.

govern the creation of procedures and guidelines.

A

are aligned with organizational goals.

100
Q

An information security manager must understand the relationship between information security and business operations in order to:

support organizational objectives.

determine likely areas of noncompliance.

assess the possible impacts of compromise.

understand the threats to the business.

A

support organizational objectives.

101
Q

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

  • escalate issues to an external third party for resolution.
  • ensure that senior management provides authority for security to address the issues.
  • insist that managers or units not in agreement with the security solution accept the risk.
  • refer the issues to senior management along with any security recommendations.
A

refer the issues to senior management along with any security recommendations.

102
Q

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

establishing a periodic risk assessment.

promoting regulatory requirements.

developing a business case.

developing effective metrics

A

developing a business case.

103
Q

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

Include security responsibilities in the job description

Require the administrator to obtain security certification

Train the system administrator on penetration testing and vulnerability assessment

Train the system administrator on risk assessment

A

Include security responsibilities in the job description

104
Q

Which of the following is the MOST important element of an information security strategy?

Defined objectives

Time frames for delivery

Adoption of a control framework

Complete policies

A

Defined objectives

105
Q

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

Representation by regional business leaders

Composition of the board

Cultures of the different countries

IT security skills

A

Cultures of the different countries

106
Q

Which of the following is the BEST justification to convince management to invest in an information security program?

Cost reduction

Compliance with company policies

Protection of business assets

Increased business value

A

Increased business valueI

107
Q

On a company’s e-commerce web site, a good legal statement regarding data privacy should include:

  • a statement regarding what the company will do with the information it collects.
  • a disclaimer regarding the accuracy of information on its web site.
  • technical information regarding how information is protected.
  • a statement regarding where the information is being hosted.
A

a statement regarding what the company will do with the information it collects.

108
Q

The MOST important factor in ensuring the success of an information security program is effective:

  • communication of information security requirements to all users in the organization.
  • formulation of policies and procedures for information security.
  • alignment with organizational goals and objectives.
  • monitoring compliance with information security policies and procedures.
A

alignment with organizational goals and objectives.

109
Q

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?

Key control monitoring

A robust security awareness program

A security program that enables business activities

An effective security architecture

A

A security program that enables business activities

110
Q

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

Continuous analysis, monitoring and feedback

Continuous monitoring of the return on security investment (ROI)

Continuous risk reduction

Key risk indicator (KRI) setup to security management processes

A

Continuous analysis, monitoring and feedback

111
Q

The MOST complete business case for security solutions is one that:

includes appropriate justification.

explains the current risk profile.

details regulatory requirements.

identifies incidents and losses.

A

includes appropriate justification.

112
Q

Which of the following is MOST important to understand when developing a meaningful information security strategy?

Regulatory environment

International security standards

Organizational risks

Organizational goals

A

Organizational goals

113
Q

Which of the following is an advantage of a centralized information security organizational structure?

It is easier to promote security awareness.

It is easier to manage and control.

It is more responsive to business unit needs.

It provides a faster turnaround for security requests.

A

It is easier to manage and control.

114
Q

Which of the following would help to change an organization’s security culture?

Develop procedures to enforce the information security policy

Obtain strong management support

Implement strict technical security controls

Periodically audit compliance with the information security policy

A

Obtain strong management support

115
Q

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:

return on investment (ROI).

a vulnerability assessment.

annual loss expectancy (ALE).

a business case.

A

a business case.

116
Q

The FIRST step in establishing a security governance program is to:

conduct a risk assessment.

conduct a workshop for all end users.

prepare a security budget.

obtain high-level sponsorship.

A

obtain high-level sponsorship.

117
Q

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

conflicting security controls with organizational needs.

strong protection of information resources.

implementing appropriate controls to reduce risk.

proving information security’s protective abilities.

A

conflicting security controls with organizational needs.

118
Q

An organization’s information security strategy should be based on:

  • managing risk relative to business objectives.
  • managing risk to a zero level and minimizing insurance premiums.
  • avoiding occurrence of risks so that insurance is not required.
  • transferring most risks to insurers and saving on control costs.
A

managing risk relative to business objectives.

119
Q

Which of the following should be included in an annual information security budget that is submitted for management approval?

A cost-benefit analysis of budgeted resources

All of the resources that are recommended by the business

Total cost of ownership (TCO)

Baseline comparisons

A

A cost-benefit analysis of budgeted resources

120
Q

Which of the following is a benefit of information security governance?

Reduction of the potential for civil or legal liability

Questioning trust in vendor relationships

Increasing the risk of decisions based on incomplete management information

Direct involvement of senior management in developing control processes

A

Reduction of the potential for civil or legal liability

121
Q

Investment in security technology and processes should be based on:

  • clear alignment with the goals and objectives of the organization.
  • success cases that have been experienced in previous projects.
  • best business practices.
  • safeguards that are inherent in existing technology.
A

clear alignment with the goals and objectives of the organization.

122
Q

The data access requirements for an application should be determined by the:

legal department.

compliance officer.

information security manager.

business owner.

A

business owner.

123
Q

From an information security perspective, information that no longer supports the main purpose of the business should be:

analyzed under the retention policy.

protected under the information classification policy.

analyzed under the backup policy.

protected under the business impact analysis (BIA).

A

analyzed under the retention policy.

124
Q

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?

Laws and regulations of the country of origin may not be enforceable in the foreign country.

A security breach notification might get delayed due to the time difference.

Additional network intrusion detection sensors should be installed, resulting in an additional cost.

The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

A

Laws and regulations of the country of origin may not be enforceable in the foreign country.

125
Q

Effective IT governance is BEST ensured by:

  • utilizing a bottom-up approach.
  • management by the IT department.
  • referring the matter to the organization’s legal department.
  • utilizing a top-down approach.
A

utilizing a top-down approach.

126
Q

The FIRST step to create an internal culture that focuses on information security is to:

implement stronger controls.

conduct periodic awareness training.

actively monitor operations.

gain the endorsement of executive management.

A

gain the endorsement of executive management.

127
Q

Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

Obtain the support of the board of directors.

Improve the content of the information security awareness program.

Improve the employees’ knowledge of security policies.

Implement logical access controls to the information systems.

A

Obtain the support of the board of directors.

128
Q

When an organization is implementing an information security governance program, its board of directors should be responsible for:

drafting information security policies.

reviewing training and awareness programs.

setting the strategic direction of the program.

auditing for compliance.

A

setting the strategic direction of the program.

129
Q

A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?

Acceptance of the business manager’s decision on the risk to the corporation

Acceptance of the information security manager’s decision on the risk to the corporation

Review of the assessment with executive management for final input

A new risk assessment and BIA are needed to resolve the disagreement

A

Review of the assessment with executive management for final input

130
Q

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

The security officer

Senior management

The end user

The custodian

A

Senior management

131
Q

An organization’s board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

Direct information security on what they need to do

Research solutions to determine the proper solutions

Require management to report on compliance

Nothing; information security does not report to the board

A

Require management to report on compliance

132
Q

Information security should be:

focused on eliminating all risks.

a balance between technical and business requirements.

driven by regulatory requirements.

defined by the board of directors.

A

a balance between technical and business requirements.

133
Q

What is the MOST important factor in the successful implementation of an enterprise wide information security program?

Realistic budget estimates

Security awareness

Support of senior management

Recalculation of the work factor

A

Support of senior management

134
Q

What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?

Functional requirements are not adequately considered.

User training programs may be inadequate.

Budgets allocated to business units are not appropriate.

Information security plans are not aligned with business requirements

A

Information security plans are not aligned with business requirements

135
Q

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

  • the plan aligns with the organization’s business plan.
  • departmental budgets are allocated appropriately to pay for the plan.
  • regulatory oversight requirements are met.
  • the impact of the plan on the business units is reduced.
A

the plan aligns with the organization’s business plan.

136
Q

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

  • the plan aligns with the organization’s business plan.
  • departmental budgets are allocated appropriately to pay for the plan.
  • regulatory oversight requirements are met.
  • the impact of the plan on the business units is reduced.
A

the plan aligns with the organization’s business plan.

137
Q

Which of the following should be determined while defining risk management strategies?

Risk assessment criteria

Organizational objectives and risk appetite

IT architecture complexity

Enterprise disaster recovery plans

A

Organizational objectives and risk appetite

138
Q

When implementing effective security governance within the requirements of the company’s security strategy, which of the following is the MOST important factor to consider?

Preserving the confidentiality of sensitive data

Establishing international security standards for data sharing

Adhering to corporate privacy standards

Establishing system manager responsibility for information security

A

Preserving the confidentiality of sensitive data

139
Q

Which of the following is the BEST reason to perform a business impact analysis (BIA)?

To help determine the current state of risk

To budget appropriately for needed controls

To satisfy regulatory requirements

To analyze the effect on the business

A

To help determine the current state of risk

140
Q
A

CISM Study Questions B (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions