CISM Practice Exam Questions and Answers

A.  

Involving information security at each stage of project management

B.  

Identifying responsibilities during the project business case analysis

C.  

Creating a data classification framework and providing it to stakeholders

D.  

Providing stakeholders with minimum information security requirements

A.  

Periodic updates to risk register

B.  

Risk management dashboards

C.  

Security information and event management (SIEM) systems

D.  

Vulnerability assessment results

A.  

Formalizing a security strategy and program

B.  

Developing an awareness program for staff

C.  

Ensuring current documentation of security processes

D.  

Establishing processes within the security operations team

A.  

storage in a shared environment.

B.  

availability of the data.

C.  

data classification.

D.  

physical location of the data.

A.  

The time and location that the breach occurred

B.  

Evidence of previous incidents caused by the user

C.  

The underlying reason for the user error

D.  

Appropriate disciplinary procedures for user error

A.  

Review independent security assessment reports for each vendor.

B.  

Benchmark each vendor's services with industry best practices.

C.  

Analyze the risks and propose mitigating controls.

D.  

Define information security requirements and processes.

A.  

The risk is justified by the cost to the business.

B.  

The risk is justified by the benefit to security.

C.  

The risk is justified by the cost to security.

D.  

The risk is justified by the benefit to the business.

A.  

Publish adopted information security standards.

B.  

Perform annual information security compliance reviews.

C.  

Implement an information security governance framework.

D.  

Define penalties for information security noncompliance.

A.  

Perform penetration testing on affected systems.

B.  

Scan IT systems for operating system vulnerabilities.

C.  

Review change in business requirements for information security.

D.  

Assess impact on information security risk.

A.  

Business impact analysis (BIA)

B.  

Gap analysis

C.  

Threat analysis

D.  

Vulnerability analysis

A.  

Purchasing insurance

B.  

Discontinuing the activity associated with the risk

C.  

Improving security controls

D.  

Performing a cost-benefit analysis

A.  

An increase in the frequency of phishing tests

B.  

An increase in positive user feedback

C.  

An increase in the speed of incident resolution

D.  

An increase in the identification rate during phishing simulations

A.  

rely on senior management to enforce security.

B.  

promote the relevance and contribution of security.

C.  

focus on compliance.

D.  

reiterate the necessity of security.

A.  

Integrating security throughout the development process

B.  

Performing security testing prior to deployment

C.  

Providing standards for implementation during development activities

D.  

Providing security training to the software development team

A.  

The definition of an incident

B.  

Compliance with regulations

C.  

Management support

D.  

Previously reported incidents

A.  

Ensuring contingency plans are in place for potential information security risks

B.  

Ensuring alignment with the plans of other business units

C.  

Allowing the information security program to expand its capabilities

D.  

Demonstrating projected budget increases year after year

A.  

Perform a risk assessment.

B.  

Reduce security hardening settings.

C.  

Inform business management of the risk.

D.  

Document a security exception.

A.  

Regulations and standards

B.  

People and culture

C.  

Executive and board directives

D.  

Processes and technology

A.  

Key control indicator (KCIs)

B.  

Key risk indicators (KRIs)

C.  

Key performance indicators (KPIs)

D.  

Key goal indicators (KGIs)

A.  

The security strategy is promoted.

B.  

Fewer security incidents are reported.

C.  

Security behavior is improved.

D.  

More security incidents are detected.

A.  

major business processes have been redesigned.

B.  

the business continuity plan (BCP) has been updated.

C.  

the security risk profile has been reviewed

D.  

noncompliance incidents have been filed.

A.  

Impact on information security program

B.  

Cost of controls

C.  

Impact to business function

D.  

Cost to replace

A.  

Determine which country's information security regulations will be used.

B.  

Merge the two existing information security programs.

C.  

Apply the existing information security program to the acquired company.

D.  

Evaluate the information security laws that apply to the acquired company.

A.  

Each process is assigned to a responsible party.

B.  

The contact list is regularly updated.

C.  

Minimum regulatory requirements are maintained.

D.  

Senior management approval has been documented.

A.  

Include security requirements in the contract

B.  

Assess security controls.

C.  

Perform a risk assessment

D.  

Review data architecture.

A.  

Cost of the attack to the organization

B.  

Location of the attacker

C.  

Method of operation used by the attacker

D.  

Details from intrusion detection system (IDS) logs

A.  

Business impact analysis (BIA) results

B.  

Key performance indicators (KPIs)

C.  

Recovery procedures

D.  

Systems inventory

A.  

Employing global security standards during development processes

B.  

Providing training on secure development practices to programmers

C.  

Performing application security testing during acceptance testing

D.  

Introducing security requirements during the initiation phase

A.  

It transfers the risk associated with recovery to a third party.

B.  

It lowers the annual cost to the business.

C.  

It eliminates the need to maintain offsite facilities.

D.  

It eliminates the need for the business to perform testing.

A.  

Reduction in residual risk

B.  

Security framework alignment

C.  

Speed of implementation

D.  

Industry peer benchmarking

A.  

Members have knowledge of information security controls.

B.  

Members are business risk owners.

C.  

Members are rotated periodically.

D.  

Members represent functions across the organization.

A.  

Lack of encryption for backup data in transit

B.  

Undefined or undocumented backup retention policies

C.  

Ineffective alert configurations for backup operations

D.  

Unavailable or corrupt data backups

A.  

reduces unauthorized access to systems.

B.  

promotes efficiency in control of the environment.

C.  

prevents inconsistencies in information in the distributed environment.

D.  

allows administrative staff to make management decisions.

A.  

Purchase cyber insurance

B.  

Encrypt sensitive production data

C.  

Perform Integrity checks on backups

D.  

Maintain multiple offline backups

A.  

Conduct user awareness training within the IT function.

B.  

Propose that IT update information security policies and procedures.

C.  

Determine the risk related to noncompliance with the policy.

D.  

Request that internal audit conduct a review of the policy development process,

A.  

Risk assessment

B.  

Business impact analysis (BIA)

C.  

Vulnerability assessment

D.  

Industry best practices

A.  

define allowable security boundaries.

B.  

communicate management's security expectations.

C.  

establish the way security tasks should be executed.

D.  

implement management's security governance strategy.

A.  

Base mandatory review and exception approvals on residual risk,

B.  

Require users to acknowledge the acceptable use policy.

C.  

Require the steering committee to review exception requests.

D.  

Base mandatory review and exception approvals on inherent risk.