CISM : Certified Information Security Manager : Part 51

  1. Exceptions to a security policy should be approved based PRIMARILY on:

    • risk appetite.
    • the external threat probability.
    • results of a business impact analysis (BIA).
    • the number of security incidents.
  2. Which of the following is the BEST way to increase the visibility of information security within an organization’s culture?

    • Requiring cross-functional information security training
    • Implementing user awareness campaigns for the entire company
    • Publishing an acceptable use policy
    • Establishing security policies based on industry standards
  3. Recovery time objectives (RTOs) are an output of which of the following?

    • Business continuity plan
    • Disaster recovery plan
    • Service level agreement (SLA)
    • Business impact analysis (BIA)
  4. Which of the following should be done FIRST when selecting performance metrics to report on the vendor risk management process?

    • Review the confidentiality requirements.
    • Identify the data owner.
    • Select the data source.
    • Identify the intended audience.
  5. An organization’s information security strategy for the coming year emphasizes reducing the risk of ransomware.

    Which of the following would be MOST helpful to support this strategy?

    • Provide relevant training to all staff.
    • Create a penetration testing plan.
    • Perform a controls gap analysis.
    • Strengthen security controls for the IT environment.
  6. What would be an information security manager’s BEST course of action when notified that the implementation of some security controls is being delayed due to budget constraints?

    • Prioritize security controls based on risk.
    • Request a budget exception for the security controls.
    • Begin the risk acceptance process.
    • Suggest less expensive alternative security controls.
  7. An information security manager learns of a new international standard related to information security.

    Which of the following would be the BEST course of action?

    • Review industry peers’ responses to the new standard.
    • Consult with legal counsel on the standard’s applicability to regulations.
    • Determine whether the organization can benefit from adopting the new standard.
    • Perform a gap analysis between the new standard and existing practices.
  8. Relying on which of the following methods when detecting new threats using IDS should be of MOST concern?

    • Statistical pattern recognition
    • Attack signatures
    • Heuristic analysis
    • Traffic analysis
  9. Which of the following is MOST helpful to management in determining whether risks are within an organization’s tolerance level?

    • Audit findings
    • Heat map
    • Penetration test results
    • Maturity level
  10. An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective.

    Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

    • Risk assessment
    • Gap analysis
    • Cost-benefit analysis
    • Business case
  11. Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization?

    • Establish disciplinary actions for noncompliance.
    • Define acceptable information for posting.
    • Identify secure social networking sites.
    • Perform a vulnerability assessment.
  12. Which of the following is MOST important when selecting a third-party security operations center?

    • Indemnity clauses
    • Independent controls assessment
    • Incident response plans
    • Business continuity plans
  13. An information security manager learns users of an application are frequently using emergency elevated access privileges to process transactions.

    Which of the following should be done FIRST?

    • Request justification from the user’s managers for emergency access.
    • Request the application administrator block all emergency access profiles.
    • Update the frequency and usage of the emergency access profile in the policy.
    • Review the security architecture of the application and recommend changes.
  14. Which of the following is MOST critical to review when preparing to outsource a data repository to a cloud-based solution?

    • Disaster recovery plan
    • Identity and access management
    • Vendor’s information security policy
    • A risk assessment
  15. Which of the following is MOST useful to include in a report to senior management on a regular basis to demonstrate the effectiveness of the information security program?

    • Key risk indicators (KRIs)
    • Capability maturity models
    • Critical success factors (CSFs)
    • Key performance indicators (KPIs)
  16. Which of the following is the MOST important factor when determining the frequency of information security reassessment?

    • Risk priority
    • Risk metrics
    • Audit findings
    • Mitigating controls
  17. Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?

    • Risk assessment
    • Business impact analysis (BIA)
    • Penetration testing
    • Gap analysis
  18. Which of the following is the MOST effective way to ensure security policies are relevant to organizational business practices?

    • Integrate industry best practices
    • Obtain senior management sign-off
    • Conduct an organization-wide security audit
    • Leverage security steering committee contribution
  19. In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on company-supplied mobile devices?

    • Conduct a business impact analysis (BIA) and provide the report to management.
    • Update the corporate mobile usage policy to prohibit texting.
    • Stop providing mobile devices until the organization is able to implement controls.
    • Include the topic of prohibited texting in security awareness training.
  20. Which of the following is the BEST approach for determining the maturity level of an information security program?

    • Evaluate key performance indicators (KPIs)
    • Engage a third-party review
    • Review internal audit results
    • Perform a self-assessment