CISM : Certified Information Security Manager : Part 17

  1. An information security manager has been asked to create a strategy to protect the organization’s information from a variety of threat vectors. Which of the following should be done FIRST?

    • Perform a threat modeling exercise
    • Develop a risk profile
    • Design risk management processes
    • Select a governance framework
  2. Which of the following would BEST ensure that security risk assessment is integrated into the life cycle of major IT projects?

    • Integrating the risk assessment into the internal audit program
    • Applying global security standards to the IT projects
    • Training project managers on risk assessment
    • Having the information security manager participate on the project setting committees
  3. An information security manager has completed a risk assessment and has determined the residual risk. Which of the following should be the NEXT step?

    • Conduct an evaluation of controls
    • Determine if the risk is within the risk appetite
    • Implement countermeasures to mitigate risk
    • Classify all identified risks
  4. Which of the following would be the BEST indicator that an organization is appropriately managing risk?

    • The number of security incident events reported by staff has increased
    • Risk assessment results are within tolerance
    • A penetration test does not identify any high-risk system vulnerabilities
    • The number of events reported from the intrusion detection system has declined
  5. A large organization is considering a policy that would allow employees to bring their own smartphones into the organizational environment. The MOST important concern to the information security manager should be the:

    • higher costs in supporting end users
    • impact on network capacity
    • decrease in end user productivity
    • lack of a device management solution



  6. Which of the following vulnerabilities presents the GREATEST risk of external hackers gaining access to the corporate network?

    • Internal hosts running unnecessary services
    • Inadequate logging
    • Excessive administrative rights to an internal database
    • Missing patches on a workstation
  7. An information security manager has developed a strategy to address new information security risks resulting from recent changes in the business. Which of the following would be MOST important to include when presenting the strategy to senior management?

    • The costs associated with business process changes
    • Results of benchmarking against industry peers
    • The impact of organizational changes on the security risk profile
    • Security controls needed for risk mitigation
  8. What is the BEST way to determine the level of risk associated with information assets processed by an IT application?

    • Evaluate the potential value of information for an attacker
    • Calculate the business value of the information assets
    • Review the cost of acquiring the information assets for the business
    • Research compliance requirements associated with the information
  9. When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:

    • monitor for business changes
    • review the residual risk level
    • report compliance to management
    • implement controls to mitigate the risk
  10. Which of the following would be MOST useful in a report to senior management for evaluating changes in the organization’s information security risk position?

    • Risk register
    • Trend analysis
    • Industry benchmarks
    • Management action plan
  11. An information security manager is preparing a presentation to obtain support for a security initiative. Which of the following would be the BEST way to obtain management’s commitment for the initiative?

    • Include historical data of reported incidents
    • Provide the estimated return on investment
    • Provide an analysis of current risk exposures
    • Include industry benchmarking comparisons
  12. Which of the following is the MOST significant security risk in IT asset management?

    • IT assets may be used by staff for private purposes
    • Unregistered IT assets may not be supported
    • Unregistered IT assets may not be included in security documentation
    • Unregistered IT assets may not be configured properly
  13. Which of the following is the MOST effective method of preventing deliberate internal security breaches?

    • Screening prospective employees
    • Well-designed firewall system
    • Well-designed intrusion detection system (IDS)
    • Biometric security access control
  14. A business previously accepted the risk associated with a zero-day vulnerability. The same vulnerability was recently exploited in a high-profile attack on another organization in the same industry. Which of the following should be the information security manager’s FIRST course of action?

    • Reassess the risk in terms of likelihood and impact
    • Develop best and worst case scenarios
    • Report the breach of the other organization to senior management
    • Evaluate the cost of remediating the vulnerability
  15. To effectively manage an organization’s information security risk, it is MOST important to:

    • periodically identify and correct new systems vulnerabilities
    • assign risk management responsibility to end users
    • benchmark risk scenarios against peer organizations
    • establish and communicate risk tolerance
  16. Which of the following is the BEST course of action for the information security manager when residual risk is above the acceptable level of risk?

    • Perform a cost-benefit analysis
    • Recommend additional controls
    • Carry out a risk assessment
    • Defer to business management
  17. Which of the following is the BEST reason to initiate a reassessment of current risk?

    • Follow-up to an audit report
    • A recent security incident
    • Certification requirements
    • Changes to security personnel
  18. Before final acceptance of residual risk, what is the BEST way for an information security manager to address risk factors determined to be lower than acceptable risk levels?

    • Evaluate whether an excessive level of control is being applied.
    • Ask senior management to increase the acceptable risk levels.
    • Implement more stringent countermeasures.
    • Ask senior management to lower the acceptable risk levels.
  19. When selecting risk response options to manage risk, an information security manager’s MAIN focus should be on reducing:

    • exposure to meet risk tolerance levels.
    • the likelihood of threat.
    • financial loss by transferring risk.
    • the number of security vulnerabilities.
  20. Which of the following should an information security manager perform FIRST when an organization’s residual risk has increased?

    • Implement security measures to reduce the risk.
    • Communicate the information to senior management.
    • Transfer the risk to third parties.
    • Assess the business impact.
Notify of
Inline Feedbacks
View all comments