CISM Practice C Topic 1

Question 1

Which of the following should be the FIRST step in developing an information security plan?

Answer 1

Analyze the current business strategy

Question 2

Senior management commitment and support for information security can BEST be obtained through presentations that:

Answer 2

tie security risks to key business objectives.

Question 3

The MOST appropriate role for senior management in supporting information security is the:

Answer 3

approval of policy statements and funding.

Question 4

Which of the following would BEST ensure the success of information security governance within an organization?

Answer 4

Steering committees approve security projects

Question 5

Information security governance is PRIMARILY driven by:

Answer 5

business strategy.

Question 6

Which of the following represents the MAJOR focus of privacy regulations?

Answer 6

Identifiable personal data

Question 7

Investments in information security technologies should be based on:

Answer 7

value analysis.

Question 8

Retention of business records should PRIMARILY be based on:

Answer 8

regulatory and legal requirements.

Question 9

Which of the following is characteristic of centralized information security management?

Answer 9

Better adherence to policies

Question 10

Successful implementation of information security governance will FIRST require:

Answer 10

updated security policies.

Question 11

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Answer 11

Chief operating officer (COO)

Question 12

The MOST important component of a privacy policy is:

Answer 12

notifications.

Question 13

The cost of implementing a security control should not exceed the:

Answer 13

asset value.

Question 14

When a security standard conflicts with a business objective, the situation should be resolved by:

Answer 14

performing a risk analysis.

Question 15

Minimum standards for securing the technical infrastructure should be defined in a security:

Answer 15

architecture.

Question 16

Which of the following is MOST appropriate for inclusion in an information security strategy?

Answer 16

Security processes, methods, tools and techniques

Question 17

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

Answer 17

organizational risk.

Question 18

Which of the following roles would represent a conflict of interest for an information security manager?

Answer 18

Final approval of information security policies

Question 19

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?T

Answer 19

The data center manager has final signoff on all security projects.

Question 20

Which of the following requirements would have the lowest level of priority in information security?

Answer 20

Technical

Question 21

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Answer 21

Establish good communication with steering committee members

Question 22

It is MOST important that information security architecture be aligned with which of the following?

Answer 22

Business objectives and goals

Question 23

Which of the following is MOST likely to be discretionary?

Answer 23

Guidelines

Question 24

Security technologies should be selected PRIMARILY on the basis of their:

Answer 24

ability to mitigate business risks.

Question 25

Which of the following are seldom changed in response to technological changes?

Answer 25

Policies

Question 26

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

Answer 26

application systems and media.

Question 27

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

Answer 27

Better alignment to business unit needs

Question 28

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Answer 28

Chief operating officer (COO)

Question 29

Which of the following would be the MOST important goal of an information security governance program?

Answer 29

Ensuring trust in data

Question 30

Relationships among security technologies are BEST defined through which of the following?

Answer 30

Security architecture

Question 31

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Answer 31

Perform a risk analysis to quantify the risk

Question 32

Acceptable levels of information security risk should be determined by:

Answer 32

the steering committee.

Question 33

The PRIMARY goal in developing an information security strategy is to:

Answer 33

support the business objectives of the organization.

Question 34

Senior management commitment and support for information security can BEST be enhanced through:

Answer 34

periodic review of alignment with business management goals.

Question 35

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

Answer 35

Develop policies that meet all mandated requirements

Question 36

Which of the following MOST commonly falls within the scope of an information security governance steering committee?

Answer 36

Prioritizing information security initiatives

Question 37

Which of the following is the MOST important factor when designing information security architecture?

Answer 37

Stakeholder requirements

Question 38

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?

Answer 38

Ability to understand and map organizational needs to security technologies

Question 39

Which of the following are likely to be updated MOST frequently?

Answer 39

Procedures for hardening database servers

Question 40

Who should be responsible for enforcing access rights to application data?

Answer 40

Security administrators

Question 41

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

Answer 41

chief operations officer (COO).

Question 42

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

Answer 42

Develop an information security strategy paper

Question 43

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

Answer 43

calculating return on investment (ROI) projections.

Question 44

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

Answer 44

aligned with the business strategy.

Question 45

Which of the following is the MOST important information to include in a strategic plan for information security?

Answer 45

Current state and desired future state

Question 46

Information security projects should be prioritized on the basis of:

Answer 46

impact on the organization.

Question 47

Which of the following is the MOST important information to include in an information security standard?

Answer 47

Last review date

Question 48

Which of the following would BEST prepare an information security manager for regulatory reviews? department

Answer 48

Perform self-assessments using regulatory guidelines and reports

Question 49

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

Answer 49

establish baseline standards for all locations and add supplemental standards as required.

Question 50

Which of the following BEST describes an information security manager’s role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

Answer 50

Evaluate the impact of information security risks

Question 51

From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities?

Answer 51

Better accountability

Question 52

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

Answer 52

Risk assessment reports

Question 53

Reviewing which of the following would BEST ensure that security controls are effective?

Answer 53

Security metrics

Question 54

Which of the following is responsible for legal and regulatory liability?

Answer 54

Board and senior management

Question 55

While implementing information security governance an organization should FIRST:

Answer 55

define the security strategy.

Question 56

Information security policy enforcement is the responsibility of the:

Answer 56

chief information security officer (CISO).

Question 57

A good privacy statement should include:

Answer 57

what the company will do with information it collects.

Question 58

Which of the following would be MOST effective in successfully implementing restrictive password policies?

Answer 58

Security awareness program

Question 59

When designing an information security quarterly report to management, the MOST important element to be considered should be the:

Answer 59

linkage to business area objectives.

Question 60

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

Answer 60

data privacy policy where data are collected.

Question 61

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

Answer 61

assess whether existing controls meet the regulation.

Question 62

The PRIMARY objective of a security steering group is to:

Answer 62

ensure information security aligns with business goals.

Question 63

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

Answer 63

policy.

Question 64

At what stage of the applications development process should the security department initially become involved?

Answer 64

At detail requirements

Question 65

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

Answer 65

Associating realistic threats to corporate objectives

Question 66

The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

Answer 66

business requirements.

Question 67

When personal information is transmitted across networks, there MUST be adequate controls over:

Answer 67

privacy protection.

Question 68

An organization’s information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

Answer 68

ensure that security processes are consistent across the organization.

Question 69

Who in an organization has the responsibility for classifying information?

Answer 69

Data owner

Question 70

What is the PRIMARY role of the information security manager in the process of information classification within an organization?

Answer 70

Defining and ratifying the classification structure of information assets

Question 71

Logging is an example of which type of defense against systems compromise?

Answer 71

Detection

Question 72

Which of the following is MOST important in developing a security strategy?

Answer 72

Understanding key business objectives

Question 73

Who is ultimately responsible for the organization’s information?

Answer 73

Board of directors

Question 74

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

Answer 74

Regulatory compliance

Question 75

A security manager meeting the requirements for the international flow of personal data will need to ensure:

Answer 75

the agreement of the data subjects.

Question 76

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

Answer 76

Proportionality

Question 77

Which of the following is the MOST important prerequisite for establishing information securitymanagement within an organization?

Answer 77

Senior management commitment

Question 78

What will have the HIGHEST impact on standard information security governance models?

Answer 78

Complexity of organizational structure

Question 79

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

Answer 79

conduct a risk assessment.

Question 80

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

Answer 80

it implies compliance risks.

Question 81

An outcome of effective security governance is:

Answer 81

strategic alignment.

Question 82

How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation?

Answer 82

Negotiate a local version of the organization standards

Question 83

Who should drive the risk analysis for an organization?

Answer 83

Security manager

Question 84

The FIRST step in developing an information security management program is to:

Answer 84

clarify organizational purpose for creating the program.

Question 85

Which of the following is the MOST important to keep in mind when assessing the value of information?

Answer 85

The potential financial loss

Question 86

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

Answer 86

Business case

Question 87

To justify its ongoing security budget, which of the following would be of MOST use to the information security department?

Answer 87

Cost-benefit analysis

Question 88

Which of the following situations would MOST inhibit the effective implementation of security governance:

Answer 88

High-level sponsorship

Question 89

To achieve effective strategic alignment of security initiatives, it is important that:

Answer 89

Inputs be obtained and consensus achieved between the major organizational units.

Question 90

What would be the MOST significant security risks when using wireless local area network (LAN) technology?

Answer 90

Rogue access point

Question 91

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

Answer 91

Information security manager

Question 92

In implementing information security governance, the information security manager is PRIMARILY responsible for:

Answer 92

developing the security strategy.

Question 93

An information security strategy document that includes specific links to an organization’s business activities is PRIMARILY an indicator of:

Answer 93

alignment.

Question 94

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

Answer 94

Compliance with the organization’s information security requirements

Question 95

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

Answer 95

substantiate the investment in meeting organizational needs.

Question 96

The MOST useful way to describe the objectives in the information security strategy is through:

Answer 96

attributes and characteristics of the “desired state.”

Question 97

In order to highlight to management the importance of network security, the security manager should FIRST:

Answer 97

conduct a risk assessment.

Question 98

When developing an information security program, what is the MOST useful source of information for determining available resources?

Answer 98

Skills inventory

Question 99

The MOST important characteristic of good security policies is that they:

Answer 99

are aligned with organizational goals.

Question 100

An information security manager must understand the relationship between information security and business operations in order to:

Answer 100

support organizational objectives.

Question 101

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

Answer 101

refer the issues to senior management along with any security recommendations.

Question 102

Obtaining senior management support for establishing a warm site can BEST be accomplished by:

Answer 102

developing a business case.

Question 103

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

Answer 103

Include security responsibilities in the job description

Question 104

Which of the following is the MOST important element of an information security strategy?

Answer 104

Defined objectives

Question 105

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

Answer 105

Cultures of the different countries

Question 106

Which of the following is the BEST justification to convince management to invest in an information security program?

Answer 106

Increased business valueI

Question 107

On a company’s e-commerce web site, a good legal statement regarding data privacy should include:

Answer 107

a statement regarding what the company will do with the information it collects.

Question 108

The MOST important factor in ensuring the success of an information security program is effective:

Answer 108

alignment with organizational goals and objectives.

Question 109

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?

Answer 109

A security program that enables business activities

Question 110

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

Answer 110

Continuous analysis, monitoring and feedback

Question 111

The MOST complete business case for security solutions is one that:

Answer 111

includes appropriate justification.

Question 112

Which of the following is MOST important to understand when developing a meaningful information security strategy?

Answer 112

Organizational goals

Question 113

Which of the following is an advantage of a centralized information security organizational structure?

Answer 113

It is easier to manage and control.

Question 114

Which of the following would help to change an organization’s security culture?

Answer 114

Obtain strong management support

Question 115

The BEST way to justify the implementation of a single sign-on (SSO) product is to use:

Answer 115

a business case.

Question 116

The FIRST step in establishing a security governance program is to:

Answer 116

obtain high-level sponsorship.

Question 117

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

Answer 117

conflicting security controls with organizational needs.

Question 118

An organization’s information security strategy should be based on:

Answer 118

managing risk relative to business objectives.

Question 119

Which of the following should be included in an annual information security budget that is submitted for management approval?

Answer 119

A cost-benefit analysis of budgeted resources

Question 120

Which of the following is a benefit of information security governance?

Answer 120

Reduction of the potential for civil or legal liability

Question 121

Investment in security technology and processes should be based on:

Answer 121

clear alignment with the goals and objectives of the organization.

Question 122

The data access requirements for an application should be determined by the:

Answer 122

business owner.

Question 123

From an information security perspective, information that no longer supports the main purpose of the business should be:

Answer 123

analyzed under the retention policy.

Question 124

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?

Answer 124

Laws and regulations of the country of origin may not be enforceable in the foreign country.

Question 125

Effective IT governance is BEST ensured by:

Answer 125

utilizing a top-down approach.

Question 126

The FIRST step to create an internal culture that focuses on information security is to:

Answer 126

gain the endorsement of executive management.

Question 127

Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

Answer 127

Obtain the support of the board of directors.

Question 128

When an organization is implementing an information security governance program, its board of directors should be responsible for:

Answer 128

setting the strategic direction of the program.

Question 129

A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?A

Answer 129

Review of the assessment with executive management for final input

Question 130

Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

Answer 130

Senior management

Question 131

An organization’s board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

Answer 131

Require management to report on compliance

Question 132

Information security should be:

Answer 132

a balance between technical and business requirements.

Question 133

What is the MOST important factor in the successful implementation of an enterprise wide information security program?

Answer 133

Support of senior management

Question 134

What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?

Answer 134

Information security plans are not aligned with business requirements

Question 135

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

Answer 135

the plan aligns with the organization’s business plan.

Question 136

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

Answer 136

the plan aligns with the organization’s business plan.

Question 137

Which of the following should be determined while defining risk management strategies?

Answer 137

Organizational objectives and risk appetite

Question 138

When implementing effective security governance within the requirements of the company’s security strategy, which of the following is the MOST important factor to consider?

Answer 138

Preserving the confidentiality of sensitive data

Question 139

Which of the following is the BEST reason to perform a business impact analysis (BIA)?

Answer 139

To help determine the current state of risk