Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 27
An information security manager is implementing a bring your own device (BYOD) program. Which of the following would BEST ensure that users adhere to the security standards?
- Monitor user activities on the network
- Publish the standards on the intranet landing page
- Establish an acceptable use policy
- Deploy a device management solution
An organization is in the process of adopting a hybrid data infrastructure, transferring all non-core applications to cloud service providers and maintaining all core business functions in-house. The information security manager has determined a defense in depth strategy should be used. Which of the following BEST describes this strategy?
- Multi-factor login requirements for cloud service applications, timeouts, and complex passwords
- Deployment of nested firewalls within the infrastructure
- Separate security controls for applications, platforms, programs, and endpoints
- Strict enforcement of role-based access control (RBAC)
When supporting an organization’s privacy officer, which of the following is the information security manager’s PRIMARY role regarding primacy requirements?
- Monitoring the transfer of private data
- Conducting privacy awareness programs
- Ensuring appropriate controls are in place
- Determining data classification
Which of the following metrics would provide management with the MOST useful information about the progress of a security awareness program?
- Increased number of downloads of the organization’s security policy
- Increased reported of security incidents
- Completion rate of user awareness training within each business unit
- Decreased number of security incidents
An organization’s senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager’s FIRST step to support this strategy?
- Incorporate social media into the security awareness program.
- Develop a guideline on the acceptable use of social media.
- Develop a business case for a data loss prevention (DLP) solution.
- Employ the use of a web content filtering solution.
Of the following, whose input is of GREATEST importance in the development of an information security strategy?
- End users
- Corporate auditors
- Process owners
- Security architects
Which of the following BEST enables an information security manager to determine the comprehensiveness of an organization’s information security strategy?
- Business impact analysis
- Organizational risk appetite
- Independent security audit
- Security risk assessment
An information security manager is developing a business case for an investment in an information security control. The FIRST step should be to:
- research vendor pricing to show cost efficiency
- assess potential impact to the organization
- demonstrate increased productivity of security staff
- gain audit buy-in for the security control
Which of the following techniques would be the BEST test of security effectiveness?
- Performing an external penetration test
- Reviewing security policies and standards
- Reviewing security logs
- Analyzing technical security practices
In the event that a password policy cannot be implemented for a legacy application, which of the following is the BEST course of action?
- Update the application security policy.
- Implement compensating control.
- Submit a waiver for the legacy application.
- Perform an application security assessment.
To ensure the information security of outsourced IT services, which of the following is the MOST critical due diligence activity?
- Review samples of service level reports from the service provider.
- Assess the level of security awareness of the service provider.
- Request that the service provider comply with information security policy.
- Review the security status of the service provider.
Management decisions concerning information security investments will be MOST effective when they are based on:
- an annual loss expectancy (ALE) determined from the history of security events.
- the formalized acceptance of risk analysis by management.
- the reporting of consistent and periodic assessments of risks.
- a process for identifying and analyzing threats and vulnerabilities.
The contribution of recovery point objective (RPO) to disaster recovery is to:
- define backup strategy.
- eliminate single points of failure.
- reduce mean time between failures (MTBF).
- minimize outage period.
The BEST way to establish a recovery time objective (RTO) that balances cost with a realistic recovery time frame is to:
- perform a business impact analysis (BIA).
- determine daily downtime cost.
- analyze cost metrics.
- conduct a risk assessment.
In a large organization, defining recovery time objectives (RTOs) is PRIMARILY the responsibility of:
- the IT manager.
- the information security manager.
- the business unit manager.
- senior manager.
Which metric is the BEST indicator that an update to an organization’s information security awareness strategy is effective?
- A decrease in the number of incidents reported by staff
- A decrease in the number of email viruses detected
- An increase in the number of email viruses detected
- An increase in the number of incidents reported by staff
An organization involved in e-commerce activities operating from its home country opened a new office in another country with stringent security laws. In this scenario, the overall security strategy should be based on:
- risk assessment results.
- international security standards.
- the most stringent requirements.
- the security organization structure.
Which of the following is the PRIMARY reason to conduct periodic business impact assessments?
- Improve the results of last business impact assessment
- Update recovery objectives based on new risks
- Decrease the recovery times
- Meet the needs of the business continuity policy
Which of the following is the BEST approach to make strategic information security decisions?
- Establish an information security steering committee.
- Establish periodic senior management meetings.
- Establish regular information security status reporting.
- Establish business unit security working groups.
Which if the following would be the MOST important information to include in a business case for an information security project in a highly regulated industry?
- Compliance risk assessment
- Critical audit findings
- Industry comparison analysis
- Number of reported security incidents