CISM Practice Exam Questions And Answers
Verified 100% correct
"
"Which of the following is responsible for legal and regulatory liability?
A. Chief security officer (CSO)
B. Chief legal counsel (CLC)
C. Board and senior management
D. Information security steering group
Correct ANSWER: C" - "The board of directors and senior management are
ultimately responsible for all that happens in the organization. The others are not
individually liable for failures of security in the organization.
"
"Which of the following would be MOST effective in successfully implementing
restrictive password policies? A. Regular password audits
B. Single sign-on system
C. Security awareness program
D. Penalties for noncompliance
Correct ANSWER: C" - "To be successful in implementing restrictive password
policies, it is necessary to obtain the buy-in of the end users. The best way to
accomplish this is through a security awareness program. Regular password audits
and
penalties for noncompliance would not be as effective on their own people would go
around them unless
forced by the system. Single sign-on is a technology solution that would enforce
password complexity but would not promote user compliance. For the effort to be
more effective, user buy-in is important.
"
"An information security manager at a global organization has to ensure that the local
information security program will initially ensure compliance with the: A. corporate
data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.
Correct ANSWER: B" - "As a subsidiary, the local entity will have to comply with the
local law for data collected in the country. Senior
management will be accountable for this legal compliance. The policy, being internal,
cannot supersede the
,local law. Additionally, with local regulations differing from the country in which the
organization is
headquartered, it is improbable that a group wide policy will address all the local legal
requirements. In case of
data collected locally (and potentially transferred to a country with a different data
privacy regulation), the local law applies, not the law applicable to the head office. The
data privacy laws are countryspecific.
"
"The PRIMARY concern of an information security manager documenting a formal data
retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
Correct ANSWER: B" - "The primary concern will be to comply with legislation
and regulation but only if this is a genuine business requirement. Best practices
may be a useful guide but not a primary concern. Legislative and regulatory
requirements are only relevant if compliance is a business need. Storage is irrelevant
since whatever is
needed must be provided
"
"An organization's information security processes are currently defined as ad hoc. In
seeking to improve their performance level, the next step for the organization
should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes. Correct
ANSWER: A" - "The organization first needs to move from ad hoc to repeatable
processes. The organization then needs to document the processes and implement
process monitoring and measurement. Baselining security levels will
not necessarily assist in process improvement since baselining focuses primarily on
control improvement. The
organization needs to standardize processes both before documentation, and before
monitoring and measurement.
"
"What is the PRIMARY role of the information security manager in the process of
information classification within an organization?
A. Defining and ratifying the classification structure of information assets
B. Deciding the classification levels applied to the organization's information assets
,C. Securing information assets in accordance with their classification
D. Checking if information assets have been classified properly
Correct ANSWER: A" - "Defining and ratifying the classification structure of
information assets is the primary role of the information security manager in the
process of information classification within the organization. Choice B is incorrect
because the final responsibility for deciding the classification levels rests with the data
owners. Choice C is
incorrect because the job of securing information assets is the responsibility of the data
custodians. Choice D may be a role of an information security manager but is not the
key role in this context.
"
"Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
Correct ANSWER: C" - "The board of directors is ultimately responsible for the
organization's information and is tasked with responding
to issues that affect its protection. The data custodian is responsible for the
maintenance and protection of
data. This role is usually filled by the IT department. The chief information security
officer (CISO) is responsible
for security and carrying out senior management's directives. The chief information
officer (CIO) is responsible
for information technology within the organization and is not ultimately responsible for
the organization's
information.
"
"How would an information security manager balance the potentially conflicting
requirements of an international organization's security standards and local
regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes
conflicts
D. Negotiate a local version of the organization standards
Correct ANSWER: D" - "Adherence to local regulations must always be the priority. Not
following local regulations can prove
detrimental to the group organization. Following local regulations only is incorrect since
there needs to be
, some recognition of organization requirements. Making an organization aware of
standards is a sensible step,
but is not a total solution. Negotiating a local version of the organization standards is the
most effective compromise in this situation.
"
"Which of the following situations would MOST inhibit the effective implementation of
security governance:
A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. High-level sponsorship
Correct ANSWER: D" - "The need for senior management involvement and support is a
key success factor for the implementation of
appropriate security governance. Complexity of technology, budgetary constraints and
conflicting business
priorities are realities that should be factored into the governance model of the
organization, and should not be regarded as inhibitors.
"
"The MOST useful way to describe the objectives in the information security strategy is
through:
A. attributes and characteristics of the 'desired state.""
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.
Correct ANSWER: A" - "Security strategy will typically cover a wide variety of issues,
processes, technologies and outcomes that can
best be described by a set of characteristics and attributes that are desired. Control
objectives are developed
after strategy and policy development. Mapping IT systems to key business processes
does not address
strategy issues. Calculation of annual loss expectations would not describe the
objectives in the information security strategy.
"
"When developing an information security program, what is the MOST useful source of
information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart D. Skills inventory
Correct ANSWER: D" - "A skills inventory would help identify- the available resources,
any gaps and the training requirements for
Verified 100% correct
"
"Which of the following is responsible for legal and regulatory liability?
A. Chief security officer (CSO)
B. Chief legal counsel (CLC)
C. Board and senior management
D. Information security steering group
Correct ANSWER: C" - "The board of directors and senior management are
ultimately responsible for all that happens in the organization. The others are not
individually liable for failures of security in the organization.
"
"Which of the following would be MOST effective in successfully implementing
restrictive password policies? A. Regular password audits
B. Single sign-on system
C. Security awareness program
D. Penalties for noncompliance
Correct ANSWER: C" - "To be successful in implementing restrictive password
policies, it is necessary to obtain the buy-in of the end users. The best way to
accomplish this is through a security awareness program. Regular password audits
and
penalties for noncompliance would not be as effective on their own people would go
around them unless
forced by the system. Single sign-on is a technology solution that would enforce
password complexity but would not promote user compliance. For the effort to be
more effective, user buy-in is important.
"
"An information security manager at a global organization has to ensure that the local
information security program will initially ensure compliance with the: A. corporate
data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.
Correct ANSWER: B" - "As a subsidiary, the local entity will have to comply with the
local law for data collected in the country. Senior
management will be accountable for this legal compliance. The policy, being internal,
cannot supersede the
,local law. Additionally, with local regulations differing from the country in which the
organization is
headquartered, it is improbable that a group wide policy will address all the local legal
requirements. In case of
data collected locally (and potentially transferred to a country with a different data
privacy regulation), the local law applies, not the law applicable to the head office. The
data privacy laws are countryspecific.
"
"The PRIMARY concern of an information security manager documenting a formal data
retention policy would be:
A. generally accepted industry best practices.
B. business requirements.
C. legislative and regulatory requirements.
D. storage availability.
Correct ANSWER: B" - "The primary concern will be to comply with legislation
and regulation but only if this is a genuine business requirement. Best practices
may be a useful guide but not a primary concern. Legislative and regulatory
requirements are only relevant if compliance is a business need. Storage is irrelevant
since whatever is
needed must be provided
"
"An organization's information security processes are currently defined as ad hoc. In
seeking to improve their performance level, the next step for the organization
should be to:
A. ensure that security processes are consistent across the organization.
B. enforce baseline security levels across the organization.
C. ensure that security processes are fully documented.
D. implement monitoring of key performance indicators for security processes. Correct
ANSWER: A" - "The organization first needs to move from ad hoc to repeatable
processes. The organization then needs to document the processes and implement
process monitoring and measurement. Baselining security levels will
not necessarily assist in process improvement since baselining focuses primarily on
control improvement. The
organization needs to standardize processes both before documentation, and before
monitoring and measurement.
"
"What is the PRIMARY role of the information security manager in the process of
information classification within an organization?
A. Defining and ratifying the classification structure of information assets
B. Deciding the classification levels applied to the organization's information assets
,C. Securing information assets in accordance with their classification
D. Checking if information assets have been classified properly
Correct ANSWER: A" - "Defining and ratifying the classification structure of
information assets is the primary role of the information security manager in the
process of information classification within the organization. Choice B is incorrect
because the final responsibility for deciding the classification levels rests with the data
owners. Choice C is
incorrect because the job of securing information assets is the responsibility of the data
custodians. Choice D may be a role of an information security manager but is not the
key role in this context.
"
"Who is ultimately responsible for the organization's information?
A. Data custodian
B. Chief information security officer (CISO)
C. Board of directors
D. Chief information officer (CIO)
Correct ANSWER: C" - "The board of directors is ultimately responsible for the
organization's information and is tasked with responding
to issues that affect its protection. The data custodian is responsible for the
maintenance and protection of
data. This role is usually filled by the IT department. The chief information security
officer (CISO) is responsible
for security and carrying out senior management's directives. The chief information
officer (CIO) is responsible
for information technology within the organization and is not ultimately responsible for
the organization's
information.
"
"How would an information security manager balance the potentially conflicting
requirements of an international organization's security standards and local
regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes
conflicts
D. Negotiate a local version of the organization standards
Correct ANSWER: D" - "Adherence to local regulations must always be the priority. Not
following local regulations can prove
detrimental to the group organization. Following local regulations only is incorrect since
there needs to be
, some recognition of organization requirements. Making an organization aware of
standards is a sensible step,
but is not a total solution. Negotiating a local version of the organization standards is the
most effective compromise in this situation.
"
"Which of the following situations would MOST inhibit the effective implementation of
security governance:
A. The complexity of technology
B. Budgetary constraints
C. Conflicting business priorities
D. High-level sponsorship
Correct ANSWER: D" - "The need for senior management involvement and support is a
key success factor for the implementation of
appropriate security governance. Complexity of technology, budgetary constraints and
conflicting business
priorities are realities that should be factored into the governance model of the
organization, and should not be regarded as inhibitors.
"
"The MOST useful way to describe the objectives in the information security strategy is
through:
A. attributes and characteristics of the 'desired state.""
B. overall control objectives of the security program.
C. mapping the IT systems to key business processes.
D. calculation of annual loss expectations.
Correct ANSWER: A" - "Security strategy will typically cover a wide variety of issues,
processes, technologies and outcomes that can
best be described by a set of characteristics and attributes that are desired. Control
objectives are developed
after strategy and policy development. Mapping IT systems to key business processes
does not address
strategy issues. Calculation of annual loss expectations would not describe the
objectives in the information security strategy.
"
"When developing an information security program, what is the MOST useful source of
information for determining available resources?
A. Proficiency test
B. Job descriptions
C. Organization chart D. Skills inventory
Correct ANSWER: D" - "A skills inventory would help identify- the available resources,
any gaps and the training requirements for
