CISM : Certified Information Security Manager : Part 09

  1. The MOST important element in achieving executive commitment to an information security governance program is:

    • a defined security framework
    • identified business drivers
    • established security strategies
    • a process improvement model
  2. After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?

    • Risk heat map
    • Recent audit results
    • Balanced scorecard
    • Gap analysis
  3. An information security manager’s PRIMARY objective for presenting key risks to the board of directors is to:

    • meet information security compliance requirements.
    • ensure appropriate information security governance.
    • quantity reputational risks.
    • re-evaluate the risk appetite.
  4. Which of the following is MOST helpful in integrating information security governance with corporate governance?

    • Assigning the implementation of information security governance to the steering committee.
    • Including information security processes within operational and management processes.
    • Providing independent reports of information security efficiency and effectiveness to the board.
    • Aligning the information security governance to a globally accepted framework.
  5. Which of the following is the BEST way to align security and business strategies?

    • Include security risk as part of corporate risk management.
    • Develop a balanced scorecard for security.
    • Establish key performance indicators (KPIs) for business through security processes.
    • Integrate information security governance into corporate governance.
  6. When developing an information security governance framework, which of the following should be the FIRST activity?

    • Integrate security within the system’s development life-cycle process.
    • Align the information security program with the organization’s other risk and control activities.
    • Develop policies and procedures to support the framework.
    • Develop response measures to detect and ensure the closure of security breaches.
  7. Which of the following is the MOST effective way for senior management to support the integration of information security governance into corporate governance?

    • Develop the information security strategy based on the enterprise strategy.
    • Appoint a business manager as heard of information security.
    • Promote organization-wide information security awareness campaigns.
    • Establish a steering committee with representation from across the organization.
  8. Which of the following would BEST help to ensure the alignment between information security and business functions?

    • Developing information security policies
    • Establishing an information security governance committee
    • Establishing a security awareness program
    • Providing funding for information security efforts
  9. When establishing an information security governance framework, it is MOST important for an information security manager to understand:

    • the regulatory environment.
    • information security best practices.
    • the corporate culture.
    • risk management techniques.
  10. Which of the following is a PRIMARY responsibility of the information security governance function?

    • Defining security strategies to support organizational programs
    • Ensuring adequate support for solutions using emerging technologies
    • Fostering a risk-aware culture to strengthen the information security program
    • Advising senior management on optimal levels of risk appetite and tolerance
  11. Which of the following is the MOST important requirement for the successful implementation of security governance?

    • Implementing a security balanced scorecard
    • Performing an enterprise-wide risk assessment
    • Mapping to organizational strategies
    • Aligning to an international security framework
  12. A large organization is in the process of developing its information security program that involves working with several complex organizational functions. Which of the following will BEST enable the successful implementation of this program?

    • Security governance
    • Security policy
    • Security metrics
    • Security guidelines
  13. Which of the following is a PRIMARY responsibility of an information security governance committee?

    • Analyzing information security policy compliance reviews
    • Approving the purchase of information security technologies
    • Reviewing the information security strategy
    • Approving the information security awareness training strategy
  14. An information security manager discovers that the organization’s new information security policy is not being followed across all departments. Which of the following should be of GREATEST concern to the information security manager?

    • Different communication methods may be required for each business unit.
    • Business unit management has not emphasized the importance of the new policy.
    • The corresponding controls are viewed as prohibitive to business operations.
    • The wording of the policy is not tailored to the audience.
  15. An organization has detected potential risk emerging from noncompliance with new regulations in its industry.

    Which of the following is the MOST important reason to report this situation to senior management?

    • The risk profile needs to be updated.
    • An external review of the risk needs to be conducted.
    • Specific monitoring controls need to be implemented.
    • A benchmark analysis needs to be performed.
  16. Which of the following is the BEST way for an information security manager to identify compliance with information security policies within an organization?

    • Analyze system logs.
    • Conduct security awareness testing.
    • Perform vulnerability assessments.
    • Conduct periodic audits.
  17. The BEST way to encourage good security practices is to:

    • schedule periodic compliance audits.
    • discipline those who fail to comply with the security policy.
    • recognize appropriate security behavior by individuals.
    • publish the information security policy.
  18. Which of the following enables compliance with a nonrepudiation policy requirement for electronic transactions?

    • Digital certificates
    • Digital signatures
    • Encrypted passwords
    • One-time passwords
  19. Which of the following is the BEST approach to identify noncompliance issues with legal, regulatory, and contractual requirements?

    • Risk assessment
    • Business impact analysis (BIA)
    • Vulnerability assessment
    • Gap analysis
  20. A new version of an information security regulation is published that requires an organization’s compliance. The information security manager should FIRST:

    • perform an audit based on the new version of the regulation.
    • conduct a risk assessment to determine the risk of noncompliance.
    • conduct benchmarking against similar organizations.
    • perform a gap analysis against the new regulation.