CISM 2023 EXAM QUESTIONS WITH ALL COMPLETE SOLUTIONS

CISM 2023 EXAM QUESTIONS WITH ALL COMPLETE SOLUTIONS 1. Which of the following would BEST ensure the success of information security governance within an organization? A. The steering committee approves all security projects. B. The security policy manual is distributed to all managers. C. Security procedures are accessible on the company intranet. D. The corporate network utilizes multiple screened subnets. - ANSWER- The steering committee approves all security projects. 2. Which of the following should be developed FIRST? A. Standards B. Procedures C. Policies D. Guidelines - ANSWER- Policies 3. Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? A. Chief security officer B. Chief operating officer C. Chief internal auditor D. Chief legal counsel - ANSWER- Chief operating officer 4. Which of the following would normally be covered in an insurance policy for computer equipment coverage? Equipment: A. leased to the insured by another company. B. leased to another company by the insured. C. under the direct control of another company. D. located at and belonging to a service provider. - ANSWER- leased to the insured by another company. 5. The MOST appropriate reporting base for the information security management function would be to report to the: A. head of IT. B. infrastructure director. C. network manager. D. chief information officer. - ANSWER- chief information officer 6. Which of the following is MOST indicative of the failure of information security governance within an organization? A. The information security department has had difficulty filling vacancies. B. The chief information officer (CIO) approves changes to the security policy. C. The information security oversight committee only meets quarterly. D. The data center manager has final sign-off on all security projects. - ANSWER- The data center manager has final sign-off on all security projects 7. When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST? A. Develop a security architecture B. Build senior management support C. Assemble an experienced staff D. Interview peer organizations - ANSWER- Build senior management support 8. Which of the following are seldom changed in response to technological changes? A. Standards B. Procedures C. Policies D. Guidelines - ANSWER- Policies 9. Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? A. More uniformity in quality of service B. Better adherence to policies C. More aligned to business unit needs D. Less total cost of ownership - ANSWER- More aligned to business unit needs 10. A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should the information security manager take? A. Enforce the existing security standard B. Change the standard to permit the deployment. C. Perform a risk analysis to quantify the risk. D. Permit a 90-day window to see if a problem occurs. - ANSWER- Perform a risk analysis to quantify the risk 11. Which of the following would be the MOST appropriate task for a chief information security officer to perform? A. Update platform-level security settings. B. Conduct disaster recovery test exercises. C. Approve access to critical financial systems. D. Develop an information security strategy paper. - ANSWER- Develop an information security strategy paper 12. The MOST important reason for conducting the same risk assessment more than once is because: A. mistakes are often made in the initial reviews. B. security risks are subject to frequent change. C. different reviewers analyze risk factors differently. D. it shows management that the security staff is adding value. - ANSWER- security risks are subject to frequent change. 13. Which of the following should management use to determine the amount of resources to devote to mitigating exposures? A. Risk analysis results B. Audit report findings C. Penetration test results D. Fixed percentage of IT budget - ANSWER- Risk analysis results 14. Acceptable risk is achieved when: A. residual risk is minimized. B. transferred risk is minimized. C. control risk equals acceptable risk. D. residual risk equals transferred risk. - ANSWER- residual risk is minimized. 15. The BEST way to integrate risk management into life cycle processes is through: A. policy development. B. change management. C. awareness training. D. regular monitoring. - ANSWER- change management 16. The decision on whether new risks should fall under periodic or event-driven reporting should be based on: A. severity and duration. B. visibility and duration. C. likelihood and duration. D. absolute monetary value. - ANSWER- absolute monetary value 17. A risk assessment should be conducted: A. once for each business process and subprocess. B. every three to five years for critical business processes. C. by external parties to maintain objectivity. D. annually or whenever there is a significant change. - ANSWER- annually or whenever there is a significant change 18. A risk management program should MOST importantly seek to: A. quantify overall risk. B. minimize residual risk. C. eliminate inherent risk. D. maximize the sum of all annualized loss expectancies. - ANSWER- minimize residual risk 19. When residual risk is minimized: A. acceptable risk is achieved. B. transferred risk is minimized. C. control risk is reduced to zero. D. residual risk equals transferred risk. - ANSWER- acceptable risk is achieved 20. When a minor security flaw is found in a new system that is about to be moved into production, this should be reported to: A. senior management in a quarterly report. B. users who may be impacted by the flaw. C. executive management in an immediate report. D. customers who may be impacted by the flaw. - ANSWER- senior management in a quarterly report 21. Which of the following BEST indicates the probability that a successful attack will occur? A. Value of the target and level of protection is high B. Motivation and ability of the attacker is high C. Value of the target is high and protection is low D. Motivation of the attacker and value of the target is high - ANSWER- Value of the target is high and protection is low 22. The results of an organizational risk analysis should FIRST be shared with: A. external auditors. B. stockholders. C. senior management. D. peer organizations. - ANSWER- senior management 23. The GREATEST reduction in overhead costs for security administration would be provided by: A. mandatory access control. B. role-based access control. C. decentralized access control. D. discretionary access control. - ANSWER- role-based access control 24. The BEST reason for an organization to have two discrete firewalls connected directly to the Internet and to the same DMZ would be to: A. provide defense in-depth. B. separate test and production. C. permit traffic load balancing. D. prevent a denial-of-service attack. - ANSWER- permit traffic load balancing 25. Accountability by business process owners can BEST be obtained through: A. periodic reminder memorandums. B. strict enforcement of policies. C. policies signed by IT management. D. education and awareness meetings. - ANSWER- education and awareness meetings 26. Which of the following is the BEST method for ensuring that security procedures and guidelines are read and understood? A. Periodic focus group meetings