CISM 1 of 4
What is the PRIMARY role of the information security manager in the process of information classification within an organization? A. Defining and ratifying the classification structure of information assets B. Deciding the classification levels applied to the organization's information assets C. Securing information assets in accordance with their classification D. Checking if information assets have been classified properly
A. Defining and ratifying the classification structure of information assets
Which of the following are likely to be updated MOST frequently? A. Procedures for hardening database servers B. Standards for password length and complexity C. Policies addressing information security governance D. Standards for document retention and destruction
A. Procedures for hardening database servers
Which of the following requirements would have the lowest level of priority in information security? A. Technical B. Regulatory C. Privacy D. Business
A. Technical
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? A. Examples of genuine incidents at similar organizations B. Statement of generally accepted best practices C. Associating realistic threats to corporate objectives D. Analysis of current technological exposures
C. Associating realistic threats to corporate objectives
When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified? A. Business management B. Operations manager C. Information security manager D. System users
C. Information security manager
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: A. meet with stakeholders to decide how to comply. B. analyze key risks in the compliance process. C. assess whether existing controls meet the regulation. D. update the existing security/privacy policy.
C. assess whether existing controls meet the regulation.
The cost of implementing a security control should not exceed the: A. annualized loss expectancy. B. cost of an incident. C. asset value. D. implementation opportunity costs.
C. asset value.
Developing a successful business case for the acquisition of information security software products can BEST be assisted by: A. assessing the frequency of incidents. B. quantifying the cost of control failures. C. calculating return on investment (ROD projections. D. comparing spending against similar organizations.
C. calculating return on investment (ROD projections.
A good privacy statement should include: A. notification of liability on accuracy of information. B. notification that information will be encrypted. C. what the company will do with information it collects. D. a description of the information classification process.
C. what the company will do with information it collects.
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification? A. Alignment with industry best practices B. Business continuity investment C. Business benefits D. Regulatory compliance
D. Regulatory compliance
Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives.
D. tie security risks to key business objectives.
While implementing information security governance an organization should FIRST: A. adopt security standards. B. determine security baselines. C. define the security strategy. D. establish security policies.
C. define the security strategy.
When designing an information security quarterly report to management, the MOST important element to be considered should be the: A. information security metrics. B. knowledge required to analyze each issue. C. linkage to business area objectives. D. baseline against which metrics are evaluated.
C. linkage to business area objectives.
When a security standard conflicts with a business objective, the situation should be resolved by: A. changing the security standard. B. changing the business objective. C. performing a risk analysis. D. authorizing a risk acceptance.
C. performing a risk analysis.
Information security projects should be prioritized on the basis of: A. time required for implementation. B. impact on the organization. C. total cost for implementation. D. mix of resources required.
B. impact on the organization.
When personal information is transmitted across networks, there MUST be adequate controls over: A. change management. B. privacy protection. C. consent to data transfer. D. encryption devices.
B. privacy protection.
To justify its ongoing security budget, which of the following would be of MOST use to the information security' department? A. Security breach frequency B. Annualized loss expectancy (ALE) C. Cost-benefit analysis D. Peer group comparison
C. Cost-benefit analysis
Which of the following roles would represent a conflict of interest for an information security manager? A. Evaluation of third parties requesting connectivity B. Assessment of the adequacy of disaster recovery plans C. Final approval of information security policies D. Monitoring adherence to physical security controls
C. Final approval of information security policies
Which of the following is MOST likely to be discretionary? A. Policies B. Procedures C. Guidelines D. Standards
C. Guidelines
An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of: A. performance measurement. B. integration. C. alignment. D. value delivery.
C. alignment.
The MOST appropriate role for senior management in supporting information security is the: A. evaluation of vendors offering security products. B. assessment of risks to the organization. C. approval of policy statements and funding. D. monitoring adherence to regulatory requirements.
C. approval of policy statements and funding.
The MOST important component of a privacy policy is: A. notifications. B. warranties. C. liabilities. D. geographic coverage.
A. notifications.
Which of the following is the MOST important to keep in mind when assessing the value of information? A. The potential financial loss B. The cost of recreating the information C. The cost of insurance coverage D. Regulatory requirement
A. The potential financial loss
Security technologies should be selected PRIMARILY on the basis of their: A. ability to mitigate business risks. B. evaluations in trade publications. C. use of new and emerging technologies. D. benefits in comparison to their costs.
A. ability to mitigate business risks.
The MOST useful way to describe the objectives in the information security strategy is through: A. attributes and characteristics of the 'desired state." B. overall control objectives of the security program. C. mapping the IT systems to key business processes. D. calculation of annual loss expectations.
A. attributes and characteristics of the 'desired state."
The MOST basic requirement for an information security governance program is to: A. be aligned with the corporate business strategy. B. be based on a sound risk management approach. C. provide adequate regulatory compliance. D. provide best practices for security- initiatives.
A. be aligned with the corporate business strategy.
In implementing information security governance, the information security manager is PRIMARILY responsible for: A. developing the security strategy. B. reviewing the security strategy. C. communicating the security strategy. D. approving the security strategy
A. developing the security strategy.
Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing: A. organizational risk. B. organization wide metrics. C. security needs. D. the responsibilities of organizational units.
A. organizational risk.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: A. it implies compliance risks. B. short-term impact cannot be determined. C. it violates industry security practices. D. changes in the roles matrix cannot be detected.
A. it implies compliance risks.
An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to: A. ensure that security processes are consistent across the organization. B. enforce baseline security levels across the organization. C. ensure that security processes are fully documented. D. implement monitoring of key performance indicators for security processes.
A. ensure that security processes are consistent across the organization.
Which of the following is the MOST important prerequisite for establishing information security management within an organization? A. Senior management commitment B. Information security framework C. Information security organizational structure D. Information security policy
A. Senior management commitment
Which of the following would BEST ensure the success of information security governance within an organization? A. Steering committees approve security projects B. Security policy training provided to all managers C. Security training available to all employees on the intranet D. Steering committees enforce compliance with laws and regulations
A. Steering committees approve security projects
The MOST important characteristic of good security policies is that they: A. state expectations of IT management. B. state only one general security mandate. C. are aligned with organizational goals. D. govern the creation of procedures and guidelines.
C. are aligned with organizational goals.
Information security policy enforcement is the responsibility of the: A. security steering committee. B. chief information officer (CIO). C. chief information security officer (CISO). D. chief compliance officer (CCO).
C. chief information security officer (CISO).
Which of the following is MOST appropriate for inclusion in an information security strategy? A. Business controls designated as key controls B. Security processes, methods, tools and techniques C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings D. Budget estimates to acquire specific security tools
B. Security processes, methods, tools and techniques
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)? A. Knowledge of information technology platforms, networks and development methodologies B. Ability to understand and map organizational needs to security technologies C. Knowledge of the regulatory environment and project management techniques D. Ability to manage a diverse group of individuals and resources across an organization
B. Ability to understand and map organizational needs to security technologies
Which of the following should be the FIRST step in developing an information security plan? A. Perform a technical vulnerabilities assessment B. Analyze the current business strategy C. Perform a business impact analysis D. Assess the current levels of security awareness
B. Analyze the current business strategy
Which of the following is characteristic of centralized information security management? A. More expensive to administer B. Better adherence to policies C. More aligned with business unit needs D. Faster turnaround of requests
B. Better adherence to policies
Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? A. Information security manager B. Chief operating officer (COO) C. Internal auditor D. Legal counsel
B. Chief operating officer (COO)
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise? A. Chief security officer (CSO) B. Chief operating officer (COO) C. Chief privacy officer (CPO) D. Chief legal counsel (CLC)
B. Chief operating officer (COO)
Which of the following is the MOST important information to include in a strategic plan for information security? A. Information security staffing requirements B. Current state and desired future state C. IT capital investment requirements D. information security mission statement
B. Current state and desired future state
Logging is an example of which type of defense against systems compromise? A. Containment B. Detection C. Reaction D. Recovery
B. Detection
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies? A. Create separate policies to address each regulation B. Develop policies that meet all mandated requirements C. Incorporate policy statements provided by regulators D. Develop a compliance risk assessment
B. Develop policies that meet all mandated requirements
When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST? A. Develop a security architecture B. Establish good communication with steering committee members C. Assemble an experienced staff D. Benchmark peer organizations
B. Establish good communication with steering committee members
Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk? A. Ensure that all IT risks are identified B. Evaluate the impact of information security risks C. Demonstrate that IT mitigating controls are in place D. Suggest new IT controls to mitigate operational risk
B. Evaluate the impact of information security risks
To achieve effective strategic alignment of security initiatives, it is important that: A. Steering committee leadership be selected by rotation. B. Inputs be obtained and consensus achieved between the major organizational units. C. The business strategy be updated periodically. D. Procedures and standards be approved by all departmental heads.
B. Inputs be obtained and consensus achieved between the major organizational units.
Which of the following would BEST prepare an information security manager for regulatory reviews? A. Assign an information security administrator as regulatory liaison B. Perform self-assessments using regulatory guidelines and reports C. Assess previous regulatory reports with process owners input D. Ensure all regulatory inquiries are sanctioned by the legal department
B. Perform self-assessments using regulatory guidelines and reports
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? A. Ethics B. Proportionality C. Integration D. Accountability
B. Proportionality
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? A. Security metrics reports B. Risk assessment reports C. Business impact analysis (BIA) D. Return on security investment report
B. Risk assessment reports
Who should drive the risk analysis for an organization? A. Senior management B. Security manager C. Quality manager D. Legal department
B. Security manager
Which of the following is MOST important in developing a security strategy? A. Creating a positive business security environment B. Understanding key business objectives C. Having a reporting line to senior management D. Allocating sufficient resources to information security
B. Understanding key business objectives
The PRIMARY concern of an information security manager documenting a formal data retention policy would be: A. generally accepted industry best practices. B. business requirements. C. legislative and regulatory requirements. D. storage availability.
B. business requirements.
The chief information security officer (CISO) should ideally have a direct reporting relationship to the: A. head of internal audit. B. chief operations officer (COO). C. chief technology officer (CTO). D. legal counsel.
B. chief operations officer (COO).
The FIRST step in developing an information security management program is to: A. identify business risks that affect the organization. B. clarify organizational purpose for creating the program. C. assign responsibility for the program. D. assess adequacy of controls to mitigate business risks.
B. clarify organizational purpose for creating the program.
In order to highlight to management, the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information.
B. conduct a risk assessment.
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: A. corporate data privacy policy. B. data privacy policy where data are collected. C. data privacy policy of the headquarters' country. D. data privacy directive applicable globally.
B. data privacy policy where data are collected.
The PRIMARY objective of a security steering group is to: A. ensure information security covers all business functions. B. ensure information security aligns with business goals. C. raise information security awareness across the organization. D. implement all decisions on security management across the organization.
B. ensure information security aligns with business goals.
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should: A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. B. establish baseline standards for all locations and add supplemental standards as required. C. bring all locations into conformity with a generally accepted set of industry best practices. D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
B. establish baseline standards for all locations and add supplemental standards as required.
Retention of business records should PRIMARILY be based on: A. business strategy and direction. B. regulatory and legal requirements. C. storage capacity and longevity. D. business ease and value analysis.
B. regulatory and legal requirements.
An outcome of effective security governance is: A. business dependency assessment B. strategic alignment. C. risk assessment. D. planning.
B. strategic alignment.
Successful implementation of information security governance will FIRST require: A. security awareness training. B. updated security policies. C. a computer incident management team. D. a security architecture.
B. updated security policies.
Investments in information security technologies should be based on: A. vulnerability assessments. B. value analysis. C. business climate. D. audit recommendations.
B. value analysis.
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? A. More uniformity in quality of service B. Better adherence to policies C. Better alignment to business unit needs D. More savings in total operating costs
C. Better alignment to business unit needs
Which of the following is responsible for legal and regulatory liability? A. Chief security officer (CSO) B. Chief legal counsel (CLC) C. Board and senior management D. Information security steering group
C. Board and senior management
Who is ultimately responsible for the organization's information? A. Data custodian B. Chief information security officer (CISO) C. Board of directors D. Chief information officer (CIO)
C. Board of directors
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? A. Risk assessment report B. Technical evaluation report C. Business case D. Budgetary requirements
C. Business case
What will have the HIGHEST impact on standard information security governance models? A. Number of employees B. Distance between physical locations C. Complexity of organizational structure D. Organizational budget
C. Complexity of organizational structure
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take? A. Enforce the existing security standard B. Change the standard to permit the deployment C. Perform a risk analysis to quantify the risk D. Perform research to propose use of a better technology
C. Perform a risk analysis to quantify the risk
Which of the following are seldom changed in response to technological changes? A. Standards B. Procedures C. Policies D. Guidelines
C. Policies
Which of the following MOST commonly falls within the scope of an information security governance steering committee? A. Interviewing candidates for information security specialist positions B. Developing content for security awareness programs C. Prioritizing information security initiatives D. Approving access to critical financial systems
C. Prioritizing information security initiatives
What would be the MOST significant security risks when using wireless local area network (LAN) technology? A. Man-in-the-middle attack B. Spoofing of data packets C. Rogue access point D. Session hijacking
C. Rogue access point
Relationships among security technologies are BEST defined through which of the following? A. Security metrics B. Network topology C. Security architecture D. Process improvement models
C. Security architecture
Which of the following would be MOST effective in successfully implementing restrictive password policies? A. Regular password audits B. Single sign-on system C. Security awareness program D. Penalties for noncompliance
C. Security awareness program
Reviewing which of the following would BEST ensure that security controls are effective? A. Risk assessment policies B. Return on security investment C. Security metrics D. User access rights
C. Security metrics
Senior management commitment and support for information security can BEST be enhanced through: A. a formal security policy sponsored by the chief executive officer (CEO). B. regular security awareness training for employees. C. periodic review of alignment with business management goals. D. senior management signoff on the information security strategy.
C. periodic review of alignment with business management goals.
A security manager meeting the requirements for the international flow of personal data will need to ensure: A. a data processing agreement. B. a data protection registration. C. the agreement of the data subjects. D. subject access procedures.
C. the agreement of the data subjects.
From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities? A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability
D. Better accountability
It is MOST important that information security architecture be aligned with which of the following? A. Industry best practices B. Information technology plans C. Information security best practices D. Business objectives and goals
D. Business objectives and goals
At what stage of the applications development process should the security department initially become involved? A. When requested B. At testing C. At programming D. At detail requirements
D. At detail requirements
When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? A. Compliance with international security standards. B. Use of a two-factor authentication system. C. Existence of an alternate hot site in case of business disruption. D. Compliance with the organization's information security requirements.
D. Compliance with the organization's information security requirements.
Who in an organization has the responsibility for classifying information? A. Data custodian B. Database administrator C. Information security officer D. Data owner
D. Data owner
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform? A. Update platform-level security settings B. Conduct disaster recovery test exercises C. Approve access to critical financial systems D. Develop an information security strategy paper
D. Develop an information security strategy paper
Which of the following would be the MOST important goal of an information security governance program? A. Review of internal control mechanisms B. Effective involvement in business decision making C. Total elimination of risk factors D. Ensuring trust in data
D. Ensuring trust in data
Which of the following situations would MOST inhibit the effective implementation of security governance? A. The complexity of technology B. Budgetary constraints C. Conflicting business priorities D. High-level sponsorship
D. High-level sponsorship
Which of the following represents the MAJOR focus of privacy regulations? A. Unrestricted data mining B. Identity theft C. Human rights protection D. D. Identifiable personal data
D. Identifiable personal data
Which of the following is the MOST important information to include in an information security standard? A. Creation date B. Author name C. Initial draft approval date D. Last review date
D. Last review date
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation? A. Give organization standards preference over local regulations B. Follow local regulations only C. Make the organization aware of those standards where local regulations causes conflicts D. Negotiate a local version of the organization standards
D. Negotiate a local version of the organization standards
Who should be responsible for enforcing access rights to application data? A. Data owners B. Business process owners C. The security steering committee D. Security administrators
D. Security administrators
When developing an information security program, what is the MOST useful source of information for determining available resources? A. Proficiency test B. Job descriptions C. Organization chart D. Skills inventory
D. Skills inventory
Which of the following is the MOST important factor when designing information security architecture? A. Technical platform interfaces B. Scalability of the network C. Development methodologies D. Stakeholder requirements
D. Stakeholder requirements
Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? A. The information security department has difficulty filling vacancies. B. The chief information officer (CIO) approves security policy changes. C. The information security oversight committee only meets quarterly. D. The data center manager has final signoff on all security projects.
D. The data center manager has final signoff on all security projects.
When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: A. aligned with the IT strategic plan. B. based on the current rate of technological change. C. three-to-five years for both hardware and software. D. aligned with the business strategy.
D. aligned with the business strategy.
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: A. storage capacity and shelf life. B. regulatory and legal requirements. C. business strategy and direction. D. application systems and media.
D. application systems and media.
Minimum standards for securing the technical infrastructure should be defined in a security: A. strategy. B. guidelines. C. model. D. architecture.
D. architecture.
Information security governance is PRIMARILY driven by: A. technology constraints. B. regulatory requirements. C. litigation potential. D. business strategy.
D. business strategy.
In order to highlight to management, the importance of network security, the security manager should FIRST: A. develop a security architecture. B. install a network intrusion detection system (NIDS) and prepare a list of attacks. C. develop a network security policy. D. conduct a risk assessment.
D. conduct a risk assessment.
Acceptable levels of information security risk should be determined by: A. legal counsel. B. security management. C. external auditors. D. die steering committee.
D. die steering committee.
Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security: A. baseline. B. strategy. C. procedure. D. policy.
D. policy.
To justify the need to invest in a forensic analysis tool, an information security manager should FIRST: A. review the functionalities and implementation requirements of the solution. B. review comparison reports of tool implementation in peer companies. C. provide examples of situations where such a tool would be useful. D. substantiate the investment in meeting organizational needs.
D. substantiate the investment in meeting organizational needs.
The PRIMARY goal in developing an information security strategy is to: A. establish security metrics and performance monitoring. B. educate business process owners regarding their duties. C. ensure that legal and regulatory requirements are met D. support the business objectives of the organization.
D. support the business objectives of the organization.