Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 22

  1. Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?

    • Systems operation procedures are not enforced
    • Change management procedures are poor
    • Systems development is outsourced
    • Systems capacity management is not performed

    The lack of change management is a severe omission and will greatly increase information security risk. Since procedures are generally nonauthoritative, their lack of enforcement is not a primary concern. Systems that are developed by third-party vendors are becoming commonplace and do not represent an increase in security risk as much as poor change management. Poor capacity management may not necessarily represent a security risk.

  2. Which of the following BEST describes the scope of risk analysis?

    • Key financial systems
    • Organizational activities
    • Key systems and infrastructure
    • Systems subject to regulatory compliance
    Risk analysis should include all organizational activities. It should not be limited to subsets of systems or just systems and infrastructure.
  3. The decision as to whether a risk has been reduced to an acceptable level should be determined by:

    • organizational requirements.
    • information systems requirements.
    • information security requirements.
    • international standards.
    Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and information security should not make the ultimate determination. Since each organization is unique, international standards of best practice do not represent the best solution.
  4. Which of the following is the PRIMARY reason for implementing a risk management program?

    • Allows the organization to eliminate risk
    • Is a necessary part of management’s due diligence
    • Satisfies audit and regulatory requirements
    • Assists in incrementing the return on investment (ROD
    The key reason for performing risk management is that it is part of management’s due diligence. The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of secondary importance. A risk management program may or may not increase the return on investment (ROD.
  5. Which of the following groups would be in the BEST position to perform a risk analysis for a business?

    • External auditors
    • A peer group within a similar business
    • Process owners
    • A specialized management consultant
    Process owners have the most in-depth knowledge of risks and compensating controls within their environment. External parties do not have that level of detailed knowledge on the inner workings of the business. Management consultants are expected to have the necessary skills in risk analysis techniques but are still less effective than a group with intimate knowledge of the business.
  6. A successful risk management program should lead to:

    • optimization of risk reduction efforts against cost.
    • containment of losses to an annual budgeted amount.
    • identification and removal of all man-made threats.
    • elimination or transference of all organizational risks.
    Successful risk management should lead to a breakeven point of risk reduction and cost. The other options listed are not achievable. Threats cannot be totally removed or transferred, while losses cannot be budgeted in advance with absolute certainty.
  7. An information security manager has identified and implemented mitigating controls according to industry best practices. Which of the following is the GREATEST risk associated with this approach?

    • The cost of control implementation may be too high.
    • The security program may not be aligned with organizational objectives.
    • The mitigation measures may not be updated in a timely manner.
    • Important security controls may be missed without senior management input.
  8. An organization’s recent risk assessment has identified many areas of security risk, and senior management has asked for a five-minute overview of the assessment results. Which of the following is the information security manager’s BEST option for presenting this information?

    • Risk register
    • Risk heat map
    • Spider diagram
    • Balanced scorecard
  9. Which of the following should be of GREATEST concern to an information security manager when establishing a set of key risk indicators (KRIs)?

    • The impact of security risk on organizational objectives is not well understood.
    • Risk tolerance levels have not yet been established. 
    • Several business functions have been outsourced to third-party vendors.
    • The organization has no historical data on previous security events.
  10. When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?

    • Risk management
    • Change management
    • Access control management
    • Configuration management
  11. Which of the following is the MOST effective method for categorizing system and data criticality during the risk assessment process?

    • Interview senior management.
    • Interview data custodians.
    • Interview members of the board.
    • Interview the asset owners. 
  12. What is the PRIMARY benefit to executive management when audit, risk, and security functions are aligned?

    • Reduced number of assurance reports
    • More effective decision making 
    • More timely risk reporting
    • More efficient incident handling
  13. A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:

    • evaluate a third-party solution.
    • deploy additional security controls.
    • evaluate the business risk. 
    • initiate an exception approval process.
  14. Which of the following is the MOST important component of a risk profile?

    • Risk management framework 
    • Data classification results
    • Penetration test results
    • Risk assessment methodology
  15. Which of the following is MOST helpful for prioritizing the recovery of IT assets during a disaster?

    • Business impact analysis (BIA)
    • Risk assessment
    • Vulnerability assessment
    • Cost-benefit analysis
  16. Which of the following is MOST important for an information security manager to ensure is included in a business case for a new security system?

    • Effectiveness of controls
    • Risk reduction associated with the system
    • Audit-logging capabilities
    • Benchmarking results
  17. Risk management is MOST cost-effective:

    • when performed on a continuous basis.
    • while developing the business case for the security program.
    • at the beginning of security program development.
    • when integrated into other corporate assurance functions.
  18. The MOST effective way to communicate the level of impact of information security risks on organizational objectives is to present:

    • business impact analysis (BIA) results.
    • detailed threat analysis results.
    • risk treatment options.
    • a risk heat map. 
  19. Senior management has decided to accept a significant risk within a security remediation plan.

    Which of the following is the information security manager’s BEST course of action?

    • Remediate the risk and document the rationale.
    • Update the risk register with the risk acceptance.
    • Communicate the remediation plan to the board of directors. 
    • Report the risk acceptance to regulatory agencies.
  20. Which of the following is MOST important to consider when prioritizing threats during the risk assessment process?

    • The criticality of threatened systems
    • The severity of exploited vulnerabilities
    • The potential impact on operations
    • The capability of threat actors