Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 11

  1. Which of the following is MOST critical for an effective information security governance framework?

    • Board members are committed to the information security program.
    • Information security policies are reviewed on a regular basis.
    • The information security program is continually monitored.
    • The CIO is accountable for the information security program.
  2. Which of the following is MOST important when establishing a successful information security governance framework?

    • Selecting information security steering committee members
    • Developing an information security strategy
    • Determining balanced scorecard metrics for information security
    • Identifying information security risk scenarios
  3. When creating an information security governance program, which of the following will BEST enable the organization to address regulatory compliance requirements?

    • Guidelines for processes and procedures
    • A security control framework
    • An approved security strategy plan
    • Input from the security steering committee
  4. An organization enacted several information security policies to satisfy regulatory requirements. Which of the following situations would MOST likely increase the probability of noncompliance to these requirements?

    • Inadequate buy-in from system owners to support the policies
    • Availability of security policy documents on a public website
    • Lack of training for end users on security policies
    • Lack of an information security governance framework
  5. Which of the following is the BEST evidence that an organization’s information security governance framework is effective?

    • Threats to the organization have diminished.
    • The risk register is reviewed annually.
    • The framework focuses primarily on technical controls.
    • The framework can adapt to organizational changes.
  6. In information security governance, the PRIMARY role of the board of directors is to ensure:

    • approval of relevant policies and standards.
    • communication of security posture to stakeholders.
    • compliance with regulations and best practices.
    • alignment with the strategic goals of the organization.
  7. Which of the following is the STRONGEST indicator of effective alignment between corporate governance and information security governance?

    • Senior management sponsors information security efforts.
    • Senior management requests periodic information security updates.
    • Key performance indicators (KPIs) for controls trend positively.
    • Information security initiatives meet scope. schedule, and budget.
  8. Which of the following should be the PRIMARY consideration when developing a security governance framework for an enterprise?

    • Understanding of the current business strategy
    • Assessment of the current security architecture
    • Results of a business impact analysis (BIA)
    • Benchmarking against industry best practice
  9. Who should decide the extent to which an organization will comply with new cybersecurity regulatory requirements?

    • Senior management 
    • IT steering committee
    • Legal counsel
    • Information security manager
  10. Which of the following would BEST help an information security manager prioritize remediation activities to meet regulatory requirements?

    • A capability maturity model matrix
    • Annual loss expectancy (ALE) of noncompliance
    • Cost of associated controls
    • Alignment with the IT strategy
  11. Which of the following is the PRIMARY reason an information security strategy should be deployed across an organization?

    • To ensure that the business complies with security regulations
    • To ensure that management’s intent is reflected in security activities
    • To ensure that employees adhere to security standards
    • To ensure that security-related industry best practices are adopted
  12. Which of the following is the BEST option for addressing regulations that will adversely affect the allocation of information security program resources?

    • Prioritize compliance efforts based on probability.
    • Determine compliance levels of peer organizations.
    • Delay implementation of compliance activities.
    • Conduct assessments for management decisions
  13. Which of the following should an information security manager do FIRST after learning about a new regulation that affects the organization?

    • Evaluate the changes with legal counsel.
    • Notify the affected business units.
    • Assess the noncompliance risk.
    • Inform senior management of the new regulation.
  14. Which of the following should be the FIRST step to ensure an information security program meets the requirements of new regulations?

    • Validate the asset classification schema.
    • Integrate compliance into the risk management process.
    • Assess organizational security controls.
    • Conduct a gap analysis to determine necessary changes.
  15. Which of the following is MOST important to consider when handling digital evidence during the forensics investigation of a cybercrime?

    • Business strategies
    • Industry best practices
    • Global standards
    • Local regulations
  16. A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST?

    • Investigate alternative options to remediate the noncompliance.
    • Assess the business impact to the organization.
    • Present the noncompliance risk to senior management.
    • Determine the cost to remediate the noncompliance.
  17. During the establishment of a service level agreement (SLA) with a cloud service provider, it is MOST important for the information security manager to:

    • update the security policy to reflect the provider’s terms of service.
    • ensure security requirements are contractually enforceable. 
    • set up proper communication paths with the provider.
    • understand the cloud storage architecture in use to determine security risk.
  18. An outsourced vendor handles an organization’s business-critical data.

    Which of the following is the MOST effective way for the client organization to obtain assurance of the vendor’s security practices?

    • Verifying security certifications held by the vendor
    • Reviewing the vendor’s security audit reports
    • Requiring periodic independent third-party reviews 
    • Requiring business continuity plans (BCPs) from the vendor
  19. Which of the following is MOST important when carrying out a forensic examination of a laptop to determine an employee’s involvement in a fraud?

    • The employee’s network access should be suspended.
    • The laptop should not be removed from the company premises.
    • An HR representative should be present during the laptop examination.
    • The investigation should be conducted on an image of the original disk drive. 
  20. Which of the following is a PRIMARY responsibility of an information security steering committee?

    • Reviewing the information security strategy
    • Approving the information security awareness training strategy
    • Analyzing information security policy compliance reviews
    • Approving the purchase of information security technologies