Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 36

  1. Which of the following is the BEST reason to develop comprehensive information security policies?

    • To comply with external industry and government regulations
    • To support development of effective risk indicators
    • To align the information security program to organizational strategy
    • To gain senior management support for the information security program
  2. An organization has announced new initiatives to establish a big data platform and develop mobile apps. What is the FIRST step when defining new human resource requirements?

    • Request additional funding for recruiting and training.
    • Analyze the skills necessary to support the new initiatives.
    • Benchmark to an industry peer.
    • Determine the security technology requirements for the initiatives.
  3. What is the PRIMARY role of the information security program?

    • To develop and enforce a set of security policies aligned with the business
    • To educate stakeholders regarding information security requirements
    • To perform periodic risk assessments and business impact analyses (BIAs)
    • To provide guidance in managing organizational security risk
  4. An information security program should be established PRIMARILY on the basis of:

    • the approved information security strategy.
    • the approved risk management approach.
    • data security regulatory requirements.
    • senior management input.
  5. To ensure adequate disaster-preparedness among IT infrastructure personnel, it is MOST important to:

    • have the most experienced personnel participate in recovery tests.
    • include end-user personnel in each recovery test.
    • assign personnel-specific duties in the recovery plan.
    • periodically rotate recovery-test participants.
  6. When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided?

    • Include information security clauses in the vendor contract.
    • Review third-party reports of potential vendors.
    • Include information security criteria as part of vendor selection.
    • Develop metrics for vendor performance.
  7. In an organization implementing a data classification program, ultimate responsibility for the data on the database server lies with the:

    • information security manager
    • business unit manager.
    • database administrator (DBA).
    • information technology manager:
  8. Which of the following is the MOST effective way for an organization to ensure its third-party service providers are aware of information security requirements and expectations?

    • Auditing the service delivery of third-party providers
    • Including information security clauses within contracts
    • Providing information security training to third-party personnel
    • Requiring third parties to sign confidentiality agreements
  9. Which of the following is MOST important for an information security manager to consider when identifying information security resource requirements?

    • Information security incidents
    • Information security strategy
    • Current resourcing levels
    • Availability of potential resources
  10. Which of the following is the BEST strategy to implement an effective operational security posture?

    • Threat management
    • Defense in depth
    • Increased security awareness
    • Vulnerability management
  11. What should be the PRIMARY basis for establishing a recovery time objective (RTO) for a critical business application?

    • Business impact analysis (BIA) results 
    • Related business benchmarks
    • Risk assessment results
    • Legal and regulatory requirements
  12. Which of the following BEST supports the alignment of information security with business functions?

    • Creation of a security steering committee
    • IT management support of security assessments
    • Business management participation in security penetration tests
    • A focus on technology security risk within business processes
  13. Which of the following security characteristics is MOST important to the protection of customer data in an online transaction system?

    • Availability
    • Data segregation
    • Audit monitoring
    • Authentication 
  14. Which of the following MUST be established before implementing a data loss prevention (DLP) system?

    • Privacy impact assessment
    • A data backup policy
    • Data classification 
    • A data recovery policy
  15. An IT department plans to migrate an application to the public cloud. Which of the following is the information security manager’s MOST important action in support of this initiative?

    • Calculate security implementation costs.
    • Evaluate service level agreements (SLAs). 
    • Provide cloud security requirements.
    • Review cloud provider independent assessment reports.
  16. Which of the following is the MOST effective way to ensure the process for granting access to new employees is standardized and meets organizational security requirements?

    • Grant authorization to individual systems as required with the approval of information security management.
    • Require managers of new hires be responsible for account setup and access during employee orientation.
    • Embed the authorization and creation of accounts with HR onboarding procedures. 
    • Adopt a standard template of access levels for all employees to be enacted upon hiring.
  17. Which of the following has the GREATEST impact on efforts to improve an organization’s security posture?

    • Supportive tone at the top management regarding security
    • Well-documented security policies and procedures
    • Regular reporting to senior management
    • Automation of security controls
  18. Which if the following is MOST important to building an effective information security program?

    • Information security architecture to increase monitoring activities
    • Management support for information security
    • Relevant and timely content included in awareness programs
    • Logical access controls for information systems
  19. Which of the following is the BEST way to address any gaps identified during an outsourced provider selection and contract negotiation process?

    • Make the provider accountable for security and compliance
    • Perform continuous gap assessments
    • Include audit rights in the service level agreement (SLA)
    • Implement compensating controls
  20. Which of the following is the BEST course of action for an information security manager to align security and business goals?

    • Defining key performance indicators (KPIs)
    • Actively engaging with stakeholders
    • Reviewing the business strategy
    • Conducting a business impact analysis (BIA)