CISM : Certified Information Security Manager : Part 64

  1. Which of the following is the PRIMARY purpose for defining key performance indicators (KPIs) for a security program?

    • To compare security program effectiveness to best practice
    • To ensure controls meet regulatory requirements
    • To measure the effectiveness of the security program
    • To evaluate the performance of security staff
  2. Which of the following is MOST appropriate to include in an information security policy?

    • A set of information security controls to maintain regulatory compliance
    • The strategy for achieving security program outcomes desired by management
    • A definition of minimum level of security that each system must meet
    • Statements of management’s intent to support the goals of information security
  3. Which of the following provides the BEST indication of strategic alignment between an organization’s information security program and business objectives?

    • A business impact analysis (BIA)
    • Security audit reports
    • A balanced scorecard
    • Key risk indicators (KRIs)
  4. Which of the following is the BEST way to define responsibility for information security throughout an organization?

    • Guidelines
    • Training
    • Standards
    • Policies
  5. Which of the following would BEST enable effective decision-making?

    • A consistent process to analyze new and historical information risk
    • Annualized loss estimates determined from past security events
    • Formalized acceptance of risk analysis by business management
    • A universally applied list of generic threats, impacts, and vulnerabilities
  6. When a security weakness is detected at facilities provided by an IT service provider, which of the following tasks must the information security manager perform FIRST?

    • Assess compliance with the service provider’s security policy.
    • Advise the service provider of countermeasures.
    • Confirm the service provider’s contractual obligations.
    • Reiterate the relevant security policy and standards.
  7. An organization manages payroll and accounting systems for multiple client companies. Which of the following contract terms would indicate a potential weakness for a disaster recovery hot site?

    • Exclusive use of hot site is limited to six weeks (following declaration).
    • Timestamp of declaration will determine priority of access to facility.
    • Work-area size is limited but can be augmented with nearby office space.
    • Servers will be provided at time of disaster (not on floor).
  8. While conducting a test of a business continuity plan (BCP), which of the following is the MOST important consideration?

    • The test addresses the critical components.
    • The test simulates actual prime-time processing conditions.
    • The test is scheduled to reduce operational impact.
    • The test involves IT members in the test process.
  9. Which of the following is the MOST appropriate party to approve an information security strategy?

    • Executive leadership team
    • Chief information officer
    • Information security management committee
    • Chief information security officer
  10. An application system stores customer confidential data and encryption is not practical. The BEST measure to protect against data disclosure is:

    • regular review of access logs.
    • single sign-on.
    • nondisclosure agreements (NDA).
    • multi-factor access controls.
  11. Which of the following is the GREATEST security concern when an organization allows the use of social networks?

    • Network performance degradation
    • Browser vulnerability exploitation
    • Decreased user productivity
    • Inadvertent data disclosure
  12. The BEST way to establish a security baseline is by documenting:

    • the organization’s preferred security level.
    • a framework of operational standards.
    • the desired range of security settings.
    • a standard of acceptable settings.
  13. Which of the following is the MOST important reason to have documented security procedures and guidelines?

    • To meet regulatory compliance requirements
    • To allocate security responsibilities to staff
    • To facilitate collection of security metrics
    • To enable standard security practices
  14. Which of the following recovery approaches generally has the LOWEST periodic cost?

    • Redundant site
    • Reciprocal agreement
    • Shared contingency center
    • Cold site
  15. Presenting which of the following to senior management will be MOST helpful in securing ongoing support for the information security strategy?

    • Historical security incidents
    • Return on security investment
    • Completed business impact analyses (BIAs)
    • Current vulnerability metrics
  16. From an information security perspective, legal issues associated with a transborder flow of technology-related items are MOST often related to:

    • website transactions and taxation.
    • lack of competition and free trade.
    • encryption tools and personal data.
    • software patches and corporate data.
  17. An organization has decided to store production data in a cloud environment. What should be the FIRST consideration?

    • Data backup
    • Data transfer
    • Data classification
    • Data isolation
  18. Which of the following is the MOST effective way for an information security manager to protect the organization from misuse of social media?

    • Hire a social media manager to control content delivered via social media.
    • Scan social media platforms for company references.
    • Restrict the use of social media on corporate networks and devices.
    • Deliver regular social media awareness training to all employees.
  19. Which of the following is the GREATEST benefit of a centralized approach to coordinating information security?

    • Optimal use of security resources
    • Reduction in the number of policies
    • Business user buy-in
    • Integration with business functions
  20. Which of the following factors is MOST likely to increase the chances of a successful social engineering attack?

    • Technical skills.
    • Knowledge of internal procedures
    • Potential financial gain
    • Weak authentication for remote access