CISM : Certified Information Security Manager : Part 29

  1. An organization is developing a disaster recovery plan for a data center that hosts multiple applications. The application recovery sequence would BEST be determined through an analysis of:

    • Key performance indicators (KPIs)
    • Recovery time objectives (RTOs)
    • Recovery point objectives (RPOs)
    • The data classification scheme
  2. Which of the following should be the PRIMARY goal of an information security manager when designing information security policies?

    • Reducing organizational security risk
    • Improving the protection of information
    • Minimizing the cost of security controls
    • Achieving organizational objectives
  3. An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:

    • security metrics
    • service level agreements (SLAs)
    • risk-reporting methodologies
    • security requirements for the process being outsourced
  4. When developing security processes for handling credit card data on the business unit’s information system, the information security manager should FIRST:

    • review corporate policies regarding credit card information.
    • implement the credit card companies’ security requirements.
    • ensure that systems handle credit card data are segmented.
    • review industry’s best practices for handling secure payments.
  5. When developing a disaster recovery plan, which of the following would be MOST helpful in prioritizing the order in which systems should be recovered?

    • Performing a business impact analysis (BIA)
    • Measuring the volume of data in each system
    • Reviewing the information security policy
    • Reviewing the business strategy
  6. When developing an information security strategy, the MOST important requirement is that:

    • standards capture the intent of management.
    • a schedule is developed to achieve objectives.
    • the desired outcome is known.
    • critical success factors (CSFs) are developed.
  7. Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?

    • Require remote wipe capabilities for devices.
    • Enforce passwords and data encryption on the devices.
    • Conduct security awareness training.
    • Review and update existing security policies.
  8. Which of the following should be the PRIMARY consideration when selecting a recovery site?

    • Regulatory requirements
    • Recovery time objective
    • Geographical location
    • Recovery point objective
  9. Management has announced the acquisition of a new company. The information security manager of parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies.

    To BEST address this concern, the information security manager should:

    • escalate concern for conflicting access rights to management.
    • implement consistent access control standards.
    • review access rights as the acquisition integration occurs.
    • perform a risk assessment of the access rights.
  10. Which of the following would be MOST helpful to the information security manager tasked with enforcing enhanced password standards?

    • Conducting password strength testing
    • Reeducating end users on creating strong complex passwords
    • Implementing a centralized identity management system
    • Implementing technical password controls to include strong complexity
  11. Which of the following is the MOST practical control that an organization can implement to prevent unauthorized downloading of data to universal serial bus (USB) storage devices?

    • Two-factor authentication
    • Restrict drive usage
    • Strong encryption
    • Disciplinary action
  12. Which of the following is the BEST method to determine whether an information security program meets an organization’s business objectives?

    • Implement performance measures.
    • Review against international security standards.
    • Perform a business impact analysis (BIA).
    • Conduct an annual enterprise-wide security evaluation.
  13. What is the BEST course of action when an information security manager finds an external service provider has not implemented adequate controls for safeguarding the organization’s critical data?

    • Assess the impact of the control gap.
    • Initiate contract renegotiations.
    • Purchase additional insurance.
    • Conduct a controls audit of the provider.
  14. A PRIMARY purpose of creating security policies is to:

    • implement management’s governance strategy.
    • establish the way security tasks should be executed.
    • communicate management’s security expectations.
    • define allowable security boundaries.
  15. Which of the following should be the PRIMARY consideration for an information security manager when designing security controls for a newly acquired business application?

    • Known vulnerabilities in the application
    • The IT security architecture framework
    • Cost-benefit analysis of current controls
    • Business processes supported by the application
  16. Which of the following would provide the BEST justification for a new information security investment?

    • Results of a comprehensive threat analysis.
    • Projected reduction in risk.
    • Senior management involvement in project prioritization.
    • Defined key performance indicators (KPIs)
  17. Which of the following is the PRIMARY reason for executive management to be involved in establishing an enterprise’s security management framework?

    • To determine the desired state of enterprise security
    • To establish the minimum level of controls needed
    • To satisfy auditors’ recommendations for enterprise security
    • To ensure industry best practices for enterprise security are followed
  18. The PRIMARY reason for establishing a data classification scheme is to identify:

    • data ownership.
    • data-retention strategy.
    • appropriate controls.
    • recovery priorities.
  19. Which of the following needs to be established between an IT service provider and its clients to the BEST enable adequate continuity of service in preparation for an outage?

    • Data retention policies
    • Server maintenance plans
    • Recovery time objectives
    • Reciprocal site agreement
  20. For an organization with operations in different parts of the world, the BEST approach for ensuring that security policies do not conflict with local laws and regulations is to:

    • refer to an external global standard to avoid any regional conflict
    • make policies at a sufficiently high level, so they are globally applicable
    • adopt uniform policies
    • establish a hierarchy of global and local policies