CISM exam

The FIRST step in developing an information security management program is to:A . identify business risks that affect the organization.B . clarify organizational purpose for creating the program.C . assign responsibility for the program.D . assess adequacy of controls to mitigate business risks.View AnswerAnswer: B Explanation: In developing an information...

Which of the following situations would MOST inhibit the effective implementation of security governance?A . The complexity of technologyB . Budgetary constraintsC . Conflicting business prioritiesD . High-level sponsorshipView AnswerAnswer: D Explanation: The need for senior management involvement and support is a key success factor for the implementation of appropriate...

Acceptable levels of information security risk should be determined by:A . legal counsel.B . security management.C . external auditors.D . die steering committee.View AnswerAnswer: D Explanation: Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel,...

The PRIMARY objective of a security steering group is to:A . ensure information security covers all business functions.B . ensure information security aligns with business goals.C . raise information security awareness across the organization.D . implement all decisions on security management across the organization.View AnswerAnswer: B Explanation: The security steering...

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:A . assessing the frequency of incidents.B . quantifying the cost of control failures.C . calculating return on investment (ROD projections.D . comparing spending against similar organizations.View AnswerAnswer: C Explanation: Calculating the return...

Who should be responsible for enforcing access rights to application data?A . Data ownersB . Business process ownersC . The security steering committeeD . Security administratorsView AnswerAnswer: D Explanation: As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights....

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?A . More uniformity in quality of serviceB . Better adherence to policiesC . Better alignment to business unit needsD . More savings in total operating costsView AnswerAnswer: C Explanation: Decentralization of information security management...

In order to highlight to management, the importance of network security, the security manager should FIRST:A . develop a security architecture.B . install a network intrusion detection system (NIDS) and prepare a list of attacks.C . develop a network security policy.D . conduct a risk assessment.View AnswerAnswer: D Explanation: A...

Information security projects should be prioritized on the basis of:A . time required for implementation.B . impact on the organization.C . total cost for implementation.D . mix of resources required.View AnswerAnswer: B Explanation: Information security projects should be assessed on the basis of the positive impact that they will have...

Which of the following would BEST prepare an information security manager for regulatory reviews?A . Assign an information security administrator as regulatory liaisonB . Perform self-assessments using regulatory guidelines and reportsC . Assess previous regulatory reports with process owners inputD . Ensure all regulatory inquiries are sanctioned by the legal...