CISM Practice Exam Questions and Answers

A.  

Consult with IT staff and assess the risk based on their recommendations

B.  

Update the security policy based on the regulatory requirements

C.  

Propose relevant controls to ensure the business complies with the regulation

D.  

Identify and assess the risk in the context of business objectives

A.  

Compromise of critical assets via third-party resources

B.  

Unavailability of services provided by a supplier

C.  

Loss of customers due to unavailability of products

D.  

Unreliable delivery of hardware and software resources by a supplier

A.  

Access manager

B.  

IT director

C.  

System administrator

D.  

Business owner

A.  

Perform due diligence with vendor candidates.

B.  

Build a business case.

C.  

Classify the organization's data.

D.  

Perform a cost-benefit analysis.

A.  

aligns with best practice for risk analysis of information assets.

B.  

assigns numeric values to exposures of information assets.

C.  

applies commonly used labels to information assets.

D.  

is based on criticality analysis of information assets.

A.  

It offers the organization flexible deployment options using cloud infrastructure.

B.  

It allows the organization to prioritize its core operations.

C.  

It is more secure than traditional data backup architecture.

D.  

It allows the use of a professional response team at a lower cost.

A.  

the security organization structure.

B.  

international security standards.

C.  

risk assessment results.

D.  

the most stringent requirements.

A.  

Walk-through of the incident response plan

B.  

Black box penetration test

C.  

Simulated phishing exercise

D.  

Red team exercise

A.  

Alignment with industry benchmarks

B.  

Results of business impact analyses (BIAs)

C.  

Possibility of reputational loss due to incidents

D.  

Availability of security budget

A.  

Security baselines

B.  

A gap analysis

C.  

A SWOT analysis

D.  

A balanced scorecard

A.  

Containment

B.  

Recovery

C.  

Eradication

D.  

Identification

A.  

Rapid detection and response to threats

B.  

Prioritized vulnerabilities

C.  

Reduced time and effort required to patch systems

D.  

Defined risk tolerance

A.  

To facilitate a qualitative risk assessment following the BIA

B.  

To increase awareness of information security among key stakeholders

C.  

To ensure the stakeholders providing input own the related risk

D.  

To obtain input from as many relevant stakeholders as possible

A.  

Discussing upcoming information security projects

B.  

Reviewing the information security risk register

C.  

Approving changes to the information security strategy

D.  

Reviewing monthly information security metrics

A.  

Ensuring response staff are appropriately trained

B.  

Developing metrics for incident response reporting

C.  

Establishing an escalation process for the help desk

D.  

Developing a RACI chart of response staff functions

A.  

List of recent security events

B.  

Key risk indication (KRIs)

C.  

Review of information security policies

D.  

information security budget requests

A.  

To reduce risk mitigation costs

B.  

To resolve vulnerabilities in enterprise architecture (EA)

C.  

To manage the risk to an acceptable level

D.  

To eliminate threats impacting the business

A.  

Job descriptions include requirements to read security policies.

B.  

The policies are updated annually.

C.  

Senior management supports the policies.

D.  

The policies are aligned to industry best practices.

A.  

Implementing automated vulnerability scanning in the help desk workflow

B.  

Changing the default setting for all security incidents to the highest priority

C.  

Integrating automated service level agreement (SLA) reporting into the help desk ticketing system

D.  

Integrating incident response workflow into the help desk ticketing system

A.  

Review independent security assessment reports for each vendor.

B.  

Benchmark each vendor's services with industry best practices.

C.  

Analyze the risks and propose mitigating controls.

D.  

Define information security requirements and processes.