CISM Domain 1 Practice Questions and Answers (100% Pass)

CISM Domain 1 Practice Questions and Answers (100% Pass) Which of the following is the MOST effective way to ensure that noncompliance to information security standards is resolved? a. Periodic audits of noncompliant areas b. An ongoing vulnerability scanning program c. Annual security awareness training d. Regular reports to the audit committee - Answer️️ -D is the correct answer. Justification Periodic audits can be effective but only when combined with reporting. Vulnerability scanning has little to do with noncompliance with standards. Training can increase management's awareness regarding information security, but awareness training is generally not as compelling to management as having individual names highlighted on a compliance report. Reporting noncompliance to the audit committee is the most effective way to have enforcement for concerned parties to take the proper action in order to comply. What activity should the information security manager perform FIRST after finding that compliance with a set of standards is weak? ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 2 a. Initiate the exception process. b. Modify policy to address the risk. c. Increase compliance enforcement. d. Perform a risk assessment. - Answer️️ -D is the correct answer. Justification The exception process can be used after assessing the noncompliance risk and determining whether compensating controls are required. Modifying policy is not necessary unless there is no applicable standard and policy. It is not appropriate to increase compliance enforcement until the information security manager has determined the extent of the risk posed by weak compliance. The first action after finding noncompliance with particular standards should be to determine the risk to the enterprise and the potential impact (for both compliance and security risk). Management requests that an information security manager determine which regulations regarding disclosure, reporting and privacy are the most important for the enterprise to address. The recommendations for addressing these legal and regulatory requirements will be MOST useful if based on which of the following choices? ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 3 a. The extent of enforcement actions b. The probability and consequences c. The sanctions for noncompliance d. The amount of personal liability - Answer️️ -B is the correct answer. Justification The extent of enforcement is a measure of probability. Without knowing the scope of consequences, probability cannot be viewed in context. Legal and regulatory requirements should be treated as any other risk to the enterprise, calculated as the probability of enforcement and the magnitude of possible sanctions (impact or consequences). Sanctions or impact must be considered in the context of the enforcement mechanisms. If sanctions have less probability of being implemented due to lax enforcement, their severity poses lower risk to the enterprise than if they are widely enforced. Except in extreme cases of fraud or other criminal activity, liability for regulatory sanctions generally lies with senior management and the board of directors. It is not a driving factor in the evaluation of regulatory requirements. ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 4 How should an information security manager balance the potentially conflicting requirements of an international enterprise's security standards with local regulation? a .Give organizational standards preference over local regulations. b. Follow local regulations only. c. Make the enterprise aware of those standards where local regulations cause conflicts. d .Negotiate a local version of the enterprise standards. - Answer️️ -D is the correct answer. Justification Organizational standards must be subordinate to local regulations. It would be incorrect to follow local regulations only, because there must be recognition of organizational requirements. Making an enterprise aware of standards is a sensible step but is not a complete solution. Negotiating a local version of the enterprise's standards is the most effective compromise in this situation. Regulations cannot be changed by the enterprise, and ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 5 it must achieve compliance, making it necessary to develop a local version of its standards in consultation with the principal office. Which of the following roles is responsible for legal and regulatory liability for failures of security in the enterprise? a. Chief security officer b. Chief legal counsel c. Board of directors and senior management d. Information security steering group - Answer️️ -C is the correct answer. Justification The chief security officer is not responsible for the legal and regulatory liability of the enterprise arising from failures of security. The chief legal counsel is not individually responsible for the legal and regulatory liability for failures of security in the enterprise. The board of directors and senior management are ultimately responsible for ensuring regulations are appropriately addressed and will be responsible for the legal and regulatory liability for failures of security in the enterprise. ©PREP4EXAMS 2024/2025 REAL EXAM DUMPS Tuesday, August 6, 2024 10,57 AM 6 The information security steering group is not responsible for the legal and regulatory liability arising from failures of security in the enterprise. Compliance with legal and regulatory requirements is: a. a security decision. b. a business decision. c. an absolute requirement. d. conditional and based on cost. - Answer️️ -B is the correct an