CISM Test Bank Quiz With Complete Solution

CISM Test Bank Quiz With Complete Solution

1. The MOST appropriate reporting base for the information security management
function would be to report to the:

A. head of IT.
B. infrastructure director.
C. network manager.
D. chief information officer. - ANSWER -chief information officer

2. Which of the following is MOST indicative of the failure of information
security governance within an organization?

A. The information security department has had difficulty filling vacancies.
B. The chief information officer (CIO) approves changes to the security policy.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final sign-off on all security projects. - ANSWER
-The data center manager has final sign-off on all security projects

7. When an organization hires a new information security manager, which of the
following goals should this individual pursue FIRST?

A. Develop a security architecture
B. Build senior management support
C. Assemble an experienced staff
D. Interview peer organizations - ANSWER -Build senior management support

8. Which of the following are seldom changed in response to technological
changes?

A. Standards
B. Procedures
C. Policies

,D. Guidelines - ANSWER -Policies

9. Which of the following is characteristic of decentralized information security
management across a geographically dispersed organization?

A. More uniformity in quality of service
B. Better adherence to policies
C. More aligned to business unit needs
D. Less total cost of ownership - ANSWER -More aligned to business unit needs

10. A business unit intends to deploy a new technology in a manner that places it
in violation of existing information security standards. What immediate action
should the information security manager take?

A. Enforce the existing security standard
B. Change the standard to permit the deployment.
C. Perform a risk analysis to quantify the risk.
D. Permit a 90-day window to see if a problem occurs. - ANSWER -Perform a risk
analysis to quantify the risk

11. Which of the following would be the MOST appropriate task for a chief
information security officer to perform?

A. Update platform-level security settings.
B. Conduct disaster recovery test exercises.
C. Approve access to critical financial systems.
D. Develop an information security strategy paper. - ANSWER -Develop an
information security strategy paper

12. The MOST important reason for conducting the same risk assessment more
than once is because:

A. mistakes are often made in the initial reviews.
B. security risks are subject to frequent change.
C. different reviewers analyze risk factors differently.

, D. it shows management that the security staff is adding value. - ANSWER -
security risks are subject to frequent change.

13. Which of the following should management use to determine the amount of
resources to devote to mitigating exposures?

A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Fixed percentage of IT budget - ANSWER -Risk analysis results

14. Acceptable risk is achieved when:

A. residual risk is minimized.
B. transferred risk is minimized.
C. control risk equals acceptable risk.
D. residual risk equals transferred risk. - ANSWER -residual risk is minimized.

15. The BEST way to integrate risk management into life cycle processes is
through:

A. policy development.
B. change management.
C. awareness training.
D. regular monitoring. - ANSWER -change management

16. The decision on whether new risks should fall under periodic or event-driven
reporting should be based on:

A. severity and duration.
B. visibility and duration.
C. likelihood and duration.
D. absolute monetary value. - ANSWER -absolute monetary value

17. A risk assessment should be conducted: