Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 31

  1. When contracting with an outsourcer to provide security administration, the MOST important contractual element is the:

    • right-to-terminate clause.
    • limitations of liability.
    • service level agreement (SLA).
    • financial penalties clause.


    Service level agreements (SLAs) provide metrics to which outsourcing firms can be held accountable. This is more important than a limitation on the outsourcing firm’s liability, a right-to-terminate clause or a hold- harmless agreement which involves liabilities to third parties.

  2. A third-party service provider is developing a mobile app for an organization’s customers.

    Which of the following issues should be of GREATEST concern to the information security manager?

    • Software escrow is not addressed in the contract.
    • The contract has no requirement for secure development practices.
    • The mobile app’s programmers are all offshore contractors.
    • SLAs after deployment are not clearly defined.
  3. Implementing a strong password policy is part of an organization’s information security strategy for the year. A business unit believes the strategy may adversely affect a client’s adoption of a recently developed mobile application and has decided not to implement the policy.

    Which of the following is the information security manager’s BEST course of action?

    • Analyze the risk and impact of not implementing the policy.
    • Develop and implement a password policy for the mobile application.
    • Escalate non-implementation of the policy to senior management.
    • Benchmark with similar mobile applications to identify gaps.
  4. Which of the following would BEST enable an organization to effectively monitor the implementation of standardized configurations?

    • Implement a separate change tracking system to record changes to configurations.
    • Perform periodic audits to detect non-compliant configurations.
    • Develop policies requiring use of the established benchmarks.
    • Implement automated scanning against the established benchmarks.
  5. Which of the following should be the information security manager’s NEXT step following senior management approval of the information security strategy?

    • Develop a security policy.
    • Develop a budget.
    • Perform a gap analysis.
    • Form a steering committee.
  6. What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee?

    • Agreeing on baseline values for the metrics
    • Developing a dashboard for communicating the metrics
    • Providing real-time insight on the security posture of the organization
    • Benchmarking the expected value of the metrics against industry standards
  7. Which of the following is the BEST approach for encouraging business units to assume their roles and responsibilities in an information security program?

    • Perform a risk assessment.
    • Conduct an awareness program.
    • Conduct a security audit.
    • Develop controls and countermeasures.
  8. Which of the following is the PRIMARY responsibility of the information security steering committee?

    • Developing security polices aligned with the corporate and IT strategies
    • Reviewing business cases where benefits have not been realized
    • Identifying risks associated with new security initiatives
    • Developing and presenting business cases for security initiatives
  9. When developing a new application, which of the following is the BEST approach to ensure compliance with security requirements?

    • Provide security training for developers.
    • Prepare detailed acceptance criteria.
    • Adhere to change management processes.
    • Perform a security gap analysis.
  10. Which of the following will BEST help to ensure security is addressed when developing a custom application?

    • Conducting security training for the development staff
    • Integrating security requirements into the development process
    • Requiring a security assessment before implementation
    • Integrating a security audit throughout the development process
  11. What should be the PRIMARY objective of conducting interviews with business unit managers when developing an information security strategy?

    • Determine information types
    • Obtain information on departmental goals
    • Identify data and system ownership
    • Classify information assets
  12. Which of the following is MOST important to consider when developing a disaster recovery plan?

    • Business continuity plan (BCP)
    • Business impact analysis (BIA)
    • Cost-benefit analysis
    • Feasibility assessment
  13. Which of the following is the MOST effective approach for integrating security into application development?

    • Defining security requirements
    • Performing vulnerability scans
    • Including security in user acceptance testing sign-off
    • Developing security models in parallel
  14. Which of the following should be of MOST influence to an information security manager when developing IT security policies?

    • Past and current threats
    • IT security framework
    • Compliance with regulations
    • Business strategy
  15. Which of the following contributes MOST to the effective implementation of an information security strategy?

    • Reporting of security metrics
    • Regular security awareness training
    • Endorsement by senior management
    • Implementation of security standards
  16. Which of the following BEST validates that security controls are implemented in a new business process?

    • Assess the process according to information security policy.
    • Benchmark the process against industry practices.
    • Verify the use of a recognized control framework.
    • Review the process for conformance with information security best practices.
  17. When preparing a business case for the implementation of a security information and event management (SIEM) system, which of the following should be a PRIMARY driver in the feasibility study?

    • Cost of software
    • Cost-benefit analysis
    • Implementation timeframe
    • Industry benchmarks
  18. When using a newly implemented security information and event management (SIEM) infrastructure, which of the following should be considered FIRST?

    • Retention
    • Tuning
    • Encryption
    • Report distribution
  19. Planning for the implementation of an information security program is MOST effective when it:

    • uses decision trees to prioritize security projects
    • applies gap analysis to current and future business plans
    • uses risk-based analysis for security projects
    • applies technology-driven solutions to identified needs
  20. Which of the following is MOST critical to the successful implementation of information security within an organizational?

    • The information security manager is responsible for setting information security policy
    • Strong risk management skills exist within the information security group
    • Budget is allocated for information security tools
    • Security is effectively marketed to all managers and employees