Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 64
-
Which of the following is the PRIMARY purpose for defining key performance indicators (KPIs) for a security program?
- To compare security program effectiveness to best practice
- To ensure controls meet regulatory requirements
- To measure the effectiveness of the security program
- To evaluate the performance of security staff
-
Which of the following is MOST appropriate to include in an information security policy?
- A set of information security controls to maintain regulatory compliance
- The strategy for achieving security program outcomes desired by management
- A definition of minimum level of security that each system must meet
- Statements of management’s intent to support the goals of information security
-
Which of the following provides the BEST indication of strategic alignment between an organization’s information security program and business objectives?
- A business impact analysis (BIA)
- Security audit reports
- A balanced scorecard
- Key risk indicators (KRIs)
-
Which of the following is the BEST way to define responsibility for information security throughout an organization?
- Guidelines
- Training
- Standards
- Policies
-
Which of the following would BEST enable effective decision-making?
- A consistent process to analyze new and historical information risk
- Annualized loss estimates determined from past security events
- Formalized acceptance of risk analysis by business management
- A universally applied list of generic threats, impacts, and vulnerabilities
-
When a security weakness is detected at facilities provided by an IT service provider, which of the following tasks must the information security manager perform FIRST?
- Assess compliance with the service provider’s security policy.
- Advise the service provider of countermeasures.
- Confirm the service provider’s contractual obligations.
- Reiterate the relevant security policy and standards.
-
An organization manages payroll and accounting systems for multiple client companies. Which of the following contract terms would indicate a potential weakness for a disaster recovery hot site?
- Exclusive use of hot site is limited to six weeks (following declaration).
- Timestamp of declaration will determine priority of access to facility.
- Work-area size is limited but can be augmented with nearby office space.
- Servers will be provided at time of disaster (not on floor).
-
While conducting a test of a business continuity plan (BCP), which of the following is the MOST important consideration?
- The test addresses the critical components.
- The test simulates actual prime-time processing conditions.
- The test is scheduled to reduce operational impact.
- The test involves IT members in the test process.
-
Which of the following is the MOST appropriate party to approve an information security strategy?
- Executive leadership team
- Chief information officer
- Information security management committee
- Chief information security officer
-
An application system stores customer confidential data and encryption is not practical. The BEST measure to protect against data disclosure is:
- regular review of access logs.
- single sign-on.
- nondisclosure agreements (NDA).
- multi-factor access controls.
-
Which of the following is the GREATEST security concern when an organization allows the use of social networks?
- Network performance degradation
- Browser vulnerability exploitation
- Decreased user productivity
- Inadvertent data disclosure
-
The BEST way to establish a security baseline is by documenting:
- the organization’s preferred security level.
- a framework of operational standards.
- the desired range of security settings.
- a standard of acceptable settings.
-
Which of the following is the MOST important reason to have documented security procedures and guidelines?
- To meet regulatory compliance requirements
- To allocate security responsibilities to staff
- To facilitate collection of security metrics
- To enable standard security practices
-
Which of the following recovery approaches generally has the LOWEST periodic cost?
- Redundant site
- Reciprocal agreement
- Shared contingency center
- Cold site
-
Presenting which of the following to senior management will be MOST helpful in securing ongoing support for the information security strategy?
- Historical security incidents
- Return on security investment
- Completed business impact analyses (BIAs)
- Current vulnerability metrics
-
From an information security perspective, legal issues associated with a transborder flow of technology-related items are MOST often related to:
- website transactions and taxation.
- lack of competition and free trade.
- encryption tools and personal data.
- software patches and corporate data.
-
An organization has decided to store production data in a cloud environment. What should be the FIRST consideration?
- Data backup
- Data transfer
- Data classification
- Data isolation
-
Which of the following is the MOST effective way for an information security manager to protect the organization from misuse of social media?
- Hire a social media manager to control content delivered via social media.
- Scan social media platforms for company references.
- Restrict the use of social media on corporate networks and devices.
- Deliver regular social media awareness training to all employees.
-
Which of the following is the GREATEST benefit of a centralized approach to coordinating information security?
- Optimal use of security resources
- Reduction in the number of policies
- Business user buy-in
- Integration with business functions
-
Which of the following factors is MOST likely to increase the chances of a successful social engineering attack?
- Technical skills.
- Knowledge of internal procedures
- Potential financial gain
- Weak authentication for remote access