Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 28

  1. Which of the following should be of MOST concern to an information security manager reviewing an organization’s data classification program?

    • The program allows exceptions to be granted.
    • Labeling is not consistent throughout the organization.
    • Data retention requirements are not defined.
    • The classifications do not follow industry best practices.
  2. Which of the following would the BEST demonstrate the added value of an information security program?

    • Security baselines
    • A SWOT analysis
    • A gap analysis
    • A balanced scorecard
  3. An information security manager is asked to provide evidence that the organization is fulfilling its legal obligation to protect personally identifiable information (PII).

    Which of the following would be MOST helpful for this purpose?

    • Metrics related to program effectiveness
    • Written policies and standards
    • Privacy awareness training
    • Risk assessments of privacy-related applications
  4. Which of the following should be PRIMARILY included in a security training program for business process owners?

    • Impact of security risks
    • Application vulnerabilities
    • Application recovery time
    • List of security incidents reported
  5. A CIO has asked the organization’s information security manager to provide both one-year and five-year plans for the information security program. What is the PRIMARY purpose for the long-term plan?

    • To create formal requirements to meet projected security needs for the future
    • To create and document a consistent progression of security capabilities
    • To prioritize risks on a longer scale than the one-year plan
    • To facilitate the continuous improvement of the IT organization
  6. Which of the following has the MOST direct impact on the usability of an organization’s asset classification program?

    • The granularity of classifications in the hierarchy
    • The frequency of updates to the organization’s risk register
    • The business objectives of the organization
    • The support of senior management for the classification scheme
  7. Which of the following is the MOST important factor to ensure information security is meeting the organization’s objectives?

    • Internal audit’s involvement in the security process
    • Implementation of a control self-assessment process
    • Establishment of acceptable risk thresholds
    • Implementation of a security awareness program
  8. An organization has an approved bring your own device (BYOD) program. Which of the following is the MOST effective method to enforce application control on personal devices?

    • Establish a mobile device acceptable use policy.
    • Implement a mobile device management solution.
    • Educate users regarding the use of approved applications.
    • Implement a web application firewall.
  9. Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?

    • The ability to remotely locate devices
    • The ability to centrally manage devices
    • The ability to restrict unapproved applications
    • The ability to classify types of devices
  10. Which of the following is the GREATEST benefit of integrating information security program requirements into vendor management?

    • The ability to reduce risk in the supply chain
    • The ability to meet industry compliance requirements
    • The ability to define service level agreements (SLAs)
    • The ability to improve vendor performance
  11. Which of the following is a step in establishing a security policy?

    • Developing platform-level security baselines
    • Creating a RACI matrix
    • Implementing a process for developing and maintaining the policy
    • Developing configuration parameters for the network
  12. The BEST time to ensure that a corporation acquires secure software products when outsourcing software development is during:

    • corporate security reviews.
    • contract performance audits.
    • contract negotiation.
    • security policy development.
  13. Which of the following is the BEST way to determine if an organization’s current risk is within the risk appetite?

    • Conducting a business impact analysis (BIA)
    • Implementing key performance indicators (KPIs)
    • Implementing key risk indicators (KRIs)
    • Developing additional mitigating controls
  14. An organization with a strict need-to-know information access policy is about to launch a knowledge management intranet.

    Which of the following is the MOST important activity to ensure compliance with existing security policies?

    • Develop a control procedure to check content before it is published.
    • Change organization policy to allow wider use of the new web site.
    • Ensure that access to the web site is limited to senior managers and the board.
    • Password-protect documents that contain confidential information.
  15. Which of the following if the MOST significant advantage of developing a well-defined information security strategy?

    • Support for buy-in from organizational employees
    • Allocation of resources to highest priorities
    • Prevention of deviations from risk tolerance thresholds
    • Increased maturity of incident response processes
  16. Which of the following is an important criterion for developing effective key risk indicators (KRIs) to monitor information security risk?

    • The indicator should possess a high correlation with a specific risk and be measured on a regular basis.
    • The indicator should focus on IT and accurately represent risk variances.
    • The indicator should align with key performance indicators and measure root causes of process performance issues.
    • The indicator should provide a retrospective view of risk impacts and be measured annually.
  17. When implementing security architecture, an information security manager MUST ensure that security controls:

    • form multiple barriers against threats.
    • are transparent.
    • are the least expensive.
    • are communicated through security policies.
  18. An information security manager is reviewing the business case for a security project that is entering the development phase. It is determined that the estimated cost of the controls is now greater than the risk being mitigated.

    The information security manager’s BEST recommendation would be to:

    • eliminate some of the controls from the project scope.
    • discontinue the project to release funds for other efforts.
    • pursue the project until the benefits cover the costs.
    • slow the pace of the project to spread costs over a longer period.
  19. The chief information security officer (CISO) has developed an information security strategy, but is struggling to obtain senior management commitment for funds to implement the strategy.

    Which of the following is the MOST likely reason?

    • The strategy does not include a cost-benefit analysis.
    • The CISO reports to the CIO.
    • There was a lack of engagement with the business during development.
    • The strategy does not comply with security standards.
  20. An organization wants to enable digital forensics for a business-critical application. Which of the following will BEST help to support this objective?

    • Install biometric access control.
    • Develop an incident response plan.
    • Define data retention criteria.
    • Enable activity logging.