CISM : Certified Information Security Manager : Part 27
-
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?
- Monitor user activities on the network
- Publish the standards on the intranet landing page
- Establish an acceptable use policy
- Deploy a device management solution
-
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers and maintaining all core business functions in-house. The information security manager has determined a defense in depth strategy should be used. Which of the following BEST describes this strategy?
- Multi-factor login requirements for cloud service applications, timeouts, and complex passwords
- Deployment of nested firewalls within the infrastructure
- Separate security controls for applications, platforms, programs, and endpoints
- Strict enforcement of role-based access control (RBAC)
-
When supporting an organization’s privacy officer, which of the following is the information security manager’s PRIMARY role regarding primacy requirements?
- Monitoring the transfer of private data
- Conducting privacy awareness programs
- Ensuring appropriate controls are in place
- Determining data classification
-
Which of the following metrics would provide management with the MOST useful information about the progress of a security awareness program?
- Increased number of downloads of the organization’s security policy
- Increased reported of security incidents
- Completion rate of user awareness training within each business unit
- Decreased number of security incidents
-
An organization’s senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager’s FIRST step to support this strategy?
- Incorporate social media into the security awareness program.
- Develop a guideline on the acceptable use of social media.
- Develop a business case for a data loss prevention (DLP) solution.
- Employ the use of a web content filtering solution.
-
Of the following, whose input is of GREATEST importance in the development of an information security strategy?
- End users
- Corporate auditors
- Process owners
- Security architects
-
Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization’s information security strategy?
- Business impact analysis
- Organizational risk appetite
- Independent security audit
- Security risk assessment
-
An information security manager is developing a business case for an investment in an information security control. The FIRST step should be to:
- research vendor pricing to show cost efficiency
- assess potential impact to the organization
- demonstrate increased productivity of security staff
- gain audit buy-in for the security control
-
Which of the following techniques would be the BEST test of security effectiveness?
- Performing an external penetration test
- Reviewing security policies and standards
- Reviewing security logs
- Analyzing technical security practices
-
In the event that a password policy cannot be implemented for a legacy application, which of the following is the BEST course of action?
- Update the application security policy.
- Implement compensating control.
- Submit a waiver for the legacy application.
- Perform an application security assessment.
-
To ensure the information security of outsourced IT services, which of the following is the MOST critical due diligence activity?
- Review samples of service level reports from the service provider.
- Assess the level of security awareness of the service provider.
- Request that the service provider comply with information security policy.
- Review the security status of the service provider.
-
Management decisions concerning information security investments will be MOST effective when they are based on:
- an annual loss expectancy (ALE) determined from the history of security events.
- the formalized acceptance of risk analysis by management.
- the reporting of consistent and periodic assessments of risks.
- a process for identifying and analyzing threats and vulnerabilities.
-
The contribution of recovery point objective (RPO) to disaster recovery is to:
- define backup strategy.
- eliminate single points of failure.
- reduce mean time between failures (MTBF).
- minimize outage period.
-
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time frame is to:
- perform a business impact analysis (BIA).
- determine daily downtime cost.
- analyze cost metrics.
- conduct a risk assessment.
-
In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of:
- the IT manager.
- the information security manager.
- the business unit manager.
- senior manager.
-
Which metric is the BEST indicator that an update to an organization’s information security awareness strategy is effective?
- A decrease in the number of incidents reported by staff
- A decrease in the number of email viruses detected
- An increase in the number of email viruses detected
- An increase in the number of incidents reported by staff
-
An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on:
- risk assessment results.
- international security standards.
- the most stringent requirements.
- the security organization structure.
-
Which of the following is the PRIMARY reason to conduct periodic business impact assessments?
- Improve the results of last business impact assessment
- Update recovery objectives based on new risks
- Decrease the recovery times
- Meet the needs of the business continuity policy
-
Which of the following is the BEST approach to make strategic information security decisions?
- Establish an information security steering committee.
- Establish periodic senior management meetings.
- Establish regular information security status reporting.
- Establish business unit security working groups.
-
Which if the following would be the MOST important information to include in a business case for an information security project in a highly regulated industry?
- Compliance risk assessment
- Critical audit findings
- Industry comparison analysis
- Number of reported security incidents
Subscribe
0 Comments
Newest