CISM : Certified Information Security Manager : Part 61

  1. Which of the following is MOST likely to increase end user security awareness in an organization?

    • Simulated phishing attacks
    • Security objectives included in job descriptions
    • Red team penetration testing
    • A dedicated channel for reporting suspicious emails
  2. Which of the following models provides a client organization with the MOST administrative control over a cloud-hosted environment?

    • Storage as a Service (SaaS)
    • Platform as a Service (PaaS)
    • Software as a Service (SaaS)
    • Infrastructure as a Service (IaaS)
  3. Which of the following is the MAIN concern when securing emerging technologies?

    • Applying the corporate hardening standards
    • Integrating with existing access controls
    • Unknown vulnerabilities
    • Compatibility with legacy systems
  4. Which of the following is the FIRST step required to achieve effective performance measurement?

    • Select and place sensors
    • Implement control objectives
    • Validate and calibrate metrics
    • Define meaningful metrics
  5. The BEST way to ensure information security efforts and initiatives continue to support corporate strategy is by:

    • including the CIO in the information security steering committee
    • conducting benchmarking with industry best practices
    • including information security metrics in the organizational metrics
    • performing periodic internal audits of the information security program
  6. Which of the following is the BEST reason to separate short-term from long-term plans within an information security roadmap?

    • To allow for reactive initiatives 
    • To update the roadmap according to current risks
    • To allocate resources for initiatives
    • To facilitate business plan reporting to management
  7. An information security manager has been made aware that some employees are discussing confidential corporate business on social media sites.

    Which of the following is the BEST response to this situation?

    • Communicate social media usage requirements and monitor compliance. 
    • Block workplace access to social media sites and monitor employee usage.
    • Train employees how to set up privacy rules on social media sites.
    • Scan social media sites for company-related information.
  8. An organization is considering the purchase of a competitor. To determine the competitor’s security posture, the BEST course of action for the organization’s information security manager would be to:

    • assess the security policy of the competitor.
    • assess the key technical controls of the competitor.
    • conduct a penetration test of the competitor.
    • perform a security gap analysis on the competitor.
  9. Which of the following is the MOST effective approach to communicate general information security responsibilities across an organization?

    • Require staff to sign confidentiality agreements.
    • Develop a RACI matrix for the organization.
    • Specify information security responsibilities in job descriptions. 
    • Provide regular security awareness training.
  10. The MOST important reason for an information security manager to be involved in a new software purchase initiative is to:

    • choose the software with the most control options.
    • provide input for user requirements.
    • ensure there is software escrow in place.
    • ensure the appropriate controls are considered. 
  11. A security team is conducting its annual disaster recovery test. Post-restoration testing shows the system response time is significantly slower due to insufficient bandwidth for Internet connectivity at the recovery center.

    Which of the following is the security manager’s BEST course of action?

    • Halt the test until the network bandwidth is increased.
    • Reduce the number of applications marked as critical.
    • Document the deficiency for review by business leadership. 
    • Pursue risk acceptance for the slower response time.
  12. Which of the following is the MOST reliable source of information about emerging information security threats and vulnerabilities?

    • Industry bloggers
    • A social media group of hackers
    • Threat intelligence groups 
    • Vulnerability scanning alerts
  13. An organization is about to purchase a rival organization. The PRIMARY reason for performing information security due diligence prior to making the purchase is to:

    • ensure compliance with international standards.
    • assess the ability to integrate the security department operations.
    • determine the security exposures.
    • evaluate the security policy and standards.
  14. Which of the following is the MOST important influence to the continued success of an organization’s information security strategy?

    • Information systems
    • Policy development
    • Security processes
    • Organizational culture
  15. Which of the following is MOST helpful for protecting an enterprise from advanced persistent threats (APTs)?

    • Defined security standards
    • Updated security policies
    • Threat intelligence
    • Regular antivirus updates
  16. Which of the following metrics would be considered an accurate measure of an information security program’s performance?

    • The number of key risk indicators (KRIs) identified, monitored, and acted upon
    • A combination of qualitative and quantitative trends that enable decision making
    • A single numeric score derived from various measures assigned to the security program
    • A collection of qualitative indicators that accurately measure security exceptions
  17. Which of the following is the BEST indication that an information security control is no longer relevant?

    • Users regularly bypass or ignore the control.
    • The control does not support a specific business function.
    • IT management does not support the control.
    • Following the control costs the business more than not following it.
  18. When granting a vendor remote access to a system, which of the following is the MOST important consideration?

    • Session monitoring
    • Hard drive encryption
    • Multi-factor authentication
    • Password hashing
  19. What is the MOST important role of an organization’s data custodian in support of the information security function?

    • Evaluating data security technology vendors
    • Assessing data security risks to the organization
    • Approving access rights to departmental data
    • Applying approved security policies
  20. Which of the following is MOST relevant for an information security manager to communicate to business units?

    • Threat assessments
    • Vulnerability assessments
    • Risk ownership
    • Business impact analysis (BIA)
Notify of
Inline Feedbacks
View all comments