CISM Test Question Bank 2023 Verified for learners
Which of the following tools is MOST appropriate for determining how long a security
project will take to implement?
Critical path
When speaking to an organization's human resources department about information
security, an information security manager should focus on the need for:
security awareness training for employees.
Good information security standards should:
define precise and unambiguous allowable limits.
Which of the following should be the FIRST step in developing an information security
plan?
Analyze the current business strategy
Senior management commitment and support for information security can BEST be
obtained through presentations that:
tie security risks to key business objectives
The MOST appropriate role for senior management in supporting information security is
the:
approval of policy statements and funding
Which of the following would BEST ensure the success of information security
governance within an organization?
Steering committees approve security projects
Information security governance is PRIMARILY driven by:
business strategy
Which of the following represents the MAJOR focus of privacy regulations?
Identifiable personal data
Investments in information security technologies should be based on:
value analysis
Retention of business records should PRIMARILY be based on
regulatory and legal requirements
Which of the following is characteristic of centralized information security management?
Better adherence to policies
Successful implementation of information security governance will FIRST require:
updated security policies
Which of the following individuals would be in the BEST position to sponsor the creation
of an information security steering group?
Chief operating officer (COO)
The MOST important component of a privacy policy is:
notifications
The cost of implementing a security control should not exceed the:
asset value
When a security standard conflicts with a business objective, the situation should be
resolved by:
performing a risk analysis
Minimum standards for securing the technical infrastructure should be defined in a
security:
,architecture
Which of the following is MOST appropriate for inclusion in an information security
strategy?
Security processes, methods, tools and techniques
Senior management commitment and support for information security will BEST be
attained by an information security manager by emphasizing:
organizational risk
Which of the following roles would represent a conflict of interest for an information
security manager?
Final approval of information security policies
Which of the following situations must be corrected FIRST to ensure successful
information security governance within an organization?
The data center manager has final signoff on all security projects
Which of the following requirements would have the lowest level of priority in information
security?
Technical
When an organization hires a new information security manager, which of the following
goals should this individual pursue FIRST?
Establish good communication with steering committee members
It is MOST important that information security architecture be aligned with which of the
following?
Business goals and objectives
Which of the following is MOST likely to be discretionary?
Guidelines
Security technologies should be selected PRIMARILY on the basis of their:
ability to mitigate business risks
Which of the following are seldom changed in response to technological changes?
Policies
The MOST important factor in planning for the long-term retention of electronically
stored business records is to take into account potential changes in:
application systems and media
Which of the following is characteristic of decentralized information security
management across a geographically dispersed organization?
Better alignment to business unit needs
Which of the following is the MOST appropriate position to sponsor the design and
implementation of a new security infrastructure in a large global enterprise?
Chief operating officer (COO)
Which of the following would be the MOST important goal of an information security
governance program?
Ensuring trust in data
Relationships among security technologies are BEST defined through which of the
following?
Security architecture
A business unit intends to deploy a new technology in a manner that places it in
violation of existing information security standards. What immediate action should an
information security manager take?
,Perform a risk analysis to quantify the risk
Acceptable levels of information security risk should be determined by:
die steering committee
The PRIMARY goal in developing an information security strategy is to:
support the business objectives of the organization
Senior management commitment and support for information security can BEST be
enhanced through:
periodic review of alignment with business management goals
When identifying legal and regulatory issues affecting information security, which of the
following would represent the BEST approach to developing information security
policies?
Develop policies that meet all mandated requirements
Which of the following MOST commonly falls within the scope of an information security
governance steering committee?
Prioritizing information security initiatives
Which of the following is the MOST important factor when designing information security
architecture?
Stakeholder requirements
Which of the following characteristics is MOST important when looking at prospective
candidates for the role of chief information security officer (CISO)?
Ability to understand and map organizational needs to security technologies
Which of the following are likely to be updated MOST frequently?
Procedures for hardening database servers
Who should be responsible for enforcing access rights to application data?
Security administrators
The chief information security officer (CISO) should ideally have a direct reporting
relationship to the:
chief operations officer (COO)
Which of the following is the MOST essential task for a chief information security officer
(CISO) to perform?
Develop an information security strategy paper
Developing a successful business case for the acquisition of information security
software products can BEST be assisted by:
calculating return on investment (ROD projections)
When an information security manager is developing a strategic plan for information
security, the timeline for the plan should be:
aligned with the business strategy
Which of the following is the MOST important information to include in a strategic plan
for information security?
Current state and desired future state
Information security projects should be prioritized on the basis of:
impact on the organization
Which of the following is the MOST important information to include in an information
security standard?
Last review date
, Which of the following would BEST prepare an information security manager for
regulatory reviews?
Perform self-assessments using regulatory guidelines and reports
An information security manager at a global organization that is subject to regulation by
multiple governmental jurisdictions with differing requirements should:
establish baseline standards for all locations and add supplemental standards as
required
Which of the following BEST describes an information security manager's role in a
multidisciplinary team that will address a new regulatory requirement regarding
operational risk?
Evaluate the impact of information security risks
From an information security manager perspective, what is the immediate benefit of
clearly defined roles and responsibilities?
Better accountability
An internal audit has identified major weaknesses over IT processing. Which of the
following should an information security manager use to BEST convey a sense of
urgency to management?
Risk assessment reports
Reviewing which of the following would BEST ensure that security controls are
effective?
Security metrics
Which of the following is responsible for legal and regulatory liability?
Board and senior management
While implementing information security governance an organization should FIRST:
define the security strategy
The MOST basic requirement for an information security governance program is to
be aligned with the corporate business strategy
Information security policy enforcement is the responsibility of the:
chief information security officer (CISO)
A good privacy statement should include:
what the company will do with information it collects
Which of the following would be MOST effective in successfully implementing restrictive
password policies?
Security awareness program
When designing an information security quarterly report to management, the MOST
important element to be considered should be the:
linkage to business area objectives
An information security manager at a global organization has to ensure that the local
information security program will initially ensure compliance with the:
data privacy policy where data are collected.
A new regulation for safeguarding information processed by a specific type of
transaction has come to the attention of an information security officer. The officer
should FIRST:
assess whether existing controls meet the regulation.
Data owners must provide a safe and secure environment to ensure confidentiality,
integrity and availability of the transaction. This is an example of an information security:
Which of the following tools is MOST appropriate for determining how long a security
project will take to implement?
Critical path
When speaking to an organization's human resources department about information
security, an information security manager should focus on the need for:
security awareness training for employees.
Good information security standards should:
define precise and unambiguous allowable limits.
Which of the following should be the FIRST step in developing an information security
plan?
Analyze the current business strategy
Senior management commitment and support for information security can BEST be
obtained through presentations that:
tie security risks to key business objectives
The MOST appropriate role for senior management in supporting information security is
the:
approval of policy statements and funding
Which of the following would BEST ensure the success of information security
governance within an organization?
Steering committees approve security projects
Information security governance is PRIMARILY driven by:
business strategy
Which of the following represents the MAJOR focus of privacy regulations?
Identifiable personal data
Investments in information security technologies should be based on:
value analysis
Retention of business records should PRIMARILY be based on
regulatory and legal requirements
Which of the following is characteristic of centralized information security management?
Better adherence to policies
Successful implementation of information security governance will FIRST require:
updated security policies
Which of the following individuals would be in the BEST position to sponsor the creation
of an information security steering group?
Chief operating officer (COO)
The MOST important component of a privacy policy is:
notifications
The cost of implementing a security control should not exceed the:
asset value
When a security standard conflicts with a business objective, the situation should be
resolved by:
performing a risk analysis
Minimum standards for securing the technical infrastructure should be defined in a
security:
,architecture
Which of the following is MOST appropriate for inclusion in an information security
strategy?
Security processes, methods, tools and techniques
Senior management commitment and support for information security will BEST be
attained by an information security manager by emphasizing:
organizational risk
Which of the following roles would represent a conflict of interest for an information
security manager?
Final approval of information security policies
Which of the following situations must be corrected FIRST to ensure successful
information security governance within an organization?
The data center manager has final signoff on all security projects
Which of the following requirements would have the lowest level of priority in information
security?
Technical
When an organization hires a new information security manager, which of the following
goals should this individual pursue FIRST?
Establish good communication with steering committee members
It is MOST important that information security architecture be aligned with which of the
following?
Business goals and objectives
Which of the following is MOST likely to be discretionary?
Guidelines
Security technologies should be selected PRIMARILY on the basis of their:
ability to mitigate business risks
Which of the following are seldom changed in response to technological changes?
Policies
The MOST important factor in planning for the long-term retention of electronically
stored business records is to take into account potential changes in:
application systems and media
Which of the following is characteristic of decentralized information security
management across a geographically dispersed organization?
Better alignment to business unit needs
Which of the following is the MOST appropriate position to sponsor the design and
implementation of a new security infrastructure in a large global enterprise?
Chief operating officer (COO)
Which of the following would be the MOST important goal of an information security
governance program?
Ensuring trust in data
Relationships among security technologies are BEST defined through which of the
following?
Security architecture
A business unit intends to deploy a new technology in a manner that places it in
violation of existing information security standards. What immediate action should an
information security manager take?
,Perform a risk analysis to quantify the risk
Acceptable levels of information security risk should be determined by:
die steering committee
The PRIMARY goal in developing an information security strategy is to:
support the business objectives of the organization
Senior management commitment and support for information security can BEST be
enhanced through:
periodic review of alignment with business management goals
When identifying legal and regulatory issues affecting information security, which of the
following would represent the BEST approach to developing information security
policies?
Develop policies that meet all mandated requirements
Which of the following MOST commonly falls within the scope of an information security
governance steering committee?
Prioritizing information security initiatives
Which of the following is the MOST important factor when designing information security
architecture?
Stakeholder requirements
Which of the following characteristics is MOST important when looking at prospective
candidates for the role of chief information security officer (CISO)?
Ability to understand and map organizational needs to security technologies
Which of the following are likely to be updated MOST frequently?
Procedures for hardening database servers
Who should be responsible for enforcing access rights to application data?
Security administrators
The chief information security officer (CISO) should ideally have a direct reporting
relationship to the:
chief operations officer (COO)
Which of the following is the MOST essential task for a chief information security officer
(CISO) to perform?
Develop an information security strategy paper
Developing a successful business case for the acquisition of information security
software products can BEST be assisted by:
calculating return on investment (ROD projections)
When an information security manager is developing a strategic plan for information
security, the timeline for the plan should be:
aligned with the business strategy
Which of the following is the MOST important information to include in a strategic plan
for information security?
Current state and desired future state
Information security projects should be prioritized on the basis of:
impact on the organization
Which of the following is the MOST important information to include in an information
security standard?
Last review date
, Which of the following would BEST prepare an information security manager for
regulatory reviews?
Perform self-assessments using regulatory guidelines and reports
An information security manager at a global organization that is subject to regulation by
multiple governmental jurisdictions with differing requirements should:
establish baseline standards for all locations and add supplemental standards as
required
Which of the following BEST describes an information security manager's role in a
multidisciplinary team that will address a new regulatory requirement regarding
operational risk?
Evaluate the impact of information security risks
From an information security manager perspective, what is the immediate benefit of
clearly defined roles and responsibilities?
Better accountability
An internal audit has identified major weaknesses over IT processing. Which of the
following should an information security manager use to BEST convey a sense of
urgency to management?
Risk assessment reports
Reviewing which of the following would BEST ensure that security controls are
effective?
Security metrics
Which of the following is responsible for legal and regulatory liability?
Board and senior management
While implementing information security governance an organization should FIRST:
define the security strategy
The MOST basic requirement for an information security governance program is to
be aligned with the corporate business strategy
Information security policy enforcement is the responsibility of the:
chief information security officer (CISO)
A good privacy statement should include:
what the company will do with information it collects
Which of the following would be MOST effective in successfully implementing restrictive
password policies?
Security awareness program
When designing an information security quarterly report to management, the MOST
important element to be considered should be the:
linkage to business area objectives
An information security manager at a global organization has to ensure that the local
information security program will initially ensure compliance with the:
data privacy policy where data are collected.
A new regulation for safeguarding information processed by a specific type of
transaction has come to the attention of an information security officer. The officer
should FIRST:
assess whether existing controls meet the regulation.
Data owners must provide a safe and secure environment to ensure confidentiality,
integrity and availability of the transaction. This is an example of an information security:
