Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 77
When designing security controls, it is MOST important to:
- apply a risk-based approach.
- focus on preventive controls.
- evaluate the costs associated with the controls.
- apply controls to confidential information.
Information classification is a fundamental step in determining:
- whether risk analysis objectives are met.
- who has ownership of information.
- the type of metrics that should be captured.
- the security strategy that should be used.
Which of the following should be the MOST important consideration of business continuity management?
- Ensuring human safety
- Identifying critical business processes
- Ensuring the reliability of backup data
- Securing critical information assets
Which of the following would be MOST helpful when justifying the funding required for a compensating control?
- Business case
- Risk analysis
- Business impact analysis
- Threat assessment
Which of the following would MOST effectively ensure that information security is implemented in a new system?
- Security baselines
- Security scanning
- Secure code reviews
- Penetration testing
Which of the following is the MOST important component of information security governance?
- Approved Information security strategy
- Documented information security policies
- Comprehensive information security awareness program
- Appropriate information security metrics
A penetration test was conducted by an accredited third party. Which of the following should be the information security manager’s FIRST course of action?
- Ensure vulnerabilities found are resolved within acceptable timeframes.
- Request funding needed to resolve the top vulnerabilities.
- Report findings to senior management.
- Ensure a risk assessment is performed to evaluate the findings.
Which of the following is the MOST important consideration when establishing an information security governance framework?
- Security steering committee meetings are held at least monthly.
- Members of the security steering committee are trained in information security.
- Business unit management acceptance is obtained.
- Executive management support is obtained.
Which of the following is the MOST effective approach for delivering security incident response training?
- Perform role-playing exercises to simulate real-world incident response scenarios.
- Engage external consultants to present real-world examples within the industry.
- Include incident response training within new staff orientation.
- Provide on-the-job training and mentoring for the incident response team.
Which of the following is MOST important to the successful development of an information security strategy?
- A well-implemented governance framework
- Current state and desired objectives
- An implemented development life cycle process
- Approved policies and standards
An organization establishes an internal document collaboration site. To ensure data confidentiality of each project group, it is MOST important to:
- prohibit remote access to the site.
- periodically recertify access rights.
- enforce document lifecycle management.
- conduct a vulnerability assessment.
When aligning an organization’s information security program with other risk and control activities, it is MOST important to:
- develop an information security governance framework.
- have information security management report to the chief risk officer.
- ensure adequate financial resources are available.
- integrate security within the system development life cycle.
A large number of exceptions to an organization’s information security standards have been granted after senior management approved a bring your own device (BYOD) program. To address this situation, it is MOST important for the information security manager to:
- introduce strong authentication on devices.
- reject new exception requests.
- update the information security policy.
- require authorization to wipe lost devices.
An information security manager has determined that the mean time to prioritize information security incidents has increased to an unacceptable level. Which of the following processes would BEST enable the information security manager to address this concern?
- Incident classification
- Vulnerability assessment
- Incident response
- Forensic analysis
Which of the following is the PRIMARY responsibility of the information security manager when an organization implements the use of personally-owned devices on the corporate network?
- Requiring remote wipe capabilities
- Enforcing defined policy and procedures
- Conducting security awareness training
- Encrypting the data on mobile devices
During an information security audit, it was determined that IT staff did not follow the established standard when configuring and managing IT systems. Which of the following is the BEST way to prevent future occurrences?
- Updating configuration baselines to allow exceptions
- Conducting periodic vulnerability scanning
- Providing annual information security awareness training
- Implementing a strict change control process
Which of the following should be the PRIMARY focus of a post-incident review following a successful response to a cybersecurity incident?
- Which control failures contributed to the incident
- How incident response processes were executed
- What attack vectors were utilized
- When business operations were restored
An organization has decided to conduct a postmortem analysis after experiencing a loss from an information security attack. The PRIMARY purpose of this analysis should be to:
- prepare for criminal prosecution.
- document lessons learned.
- evaluate the impact.
- update information security policies.
Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?
- To present a realistic information security budget
- To ensure that benefits are aligned with business strategies
- To ensure that the mitigation effort does not exceed the asset value
- To justify information security program activities
When developing a new system, detailed information security functionality should FIRST be addressed:
- as part of prototyping.
- during the system design phase.
- when system requirements are defined.
- as part of application development.