CISM Practice Questions

A.  

Security awareness plan

B.  

Business continuity plan (BCP)

C.  

Disaster recovery plan (DRP)

D.  

Incident response plan

A.  

Current resourcing levels

B.  

Availability of potential resources

C.  

Information security strategy

D.  

Information security incidents

A.  

The information available about the vulnerability

B.  

The sensitivity of the asset and the data it contains

C.  

IT resource availability and constraints

D.  

Whether patches have been developed and tested

A.  

evaluate results of the most recent incident response test.

B.  

review the number of reported security incidents.

C.  

ensure established security metrics are reported.

D.  

assess progress of risk mitigation efforts.

A.  

on a need-to-know basis subject to controls.

B.  

subject to legal and regulatory requirements.

C.  

by the use of a remote access server.

D.  

if a robust IT infrastructure exists.

A.  

Percentage of information security incidents resolved within defined service level agreements (SLAs)

B.  

Percentage of corporate budget allocated to information security initiatives

C.  

Number of business executives who have attended information security awareness sessions

D.  

Number of business objectives directly supported by information security initiatives

A.  

Key risk indicators (KRIs)

B.  

Periodic review of the risk register

C.  

Degree of senior management support

D.  

Compliance with industry regulations

A.  

Perform a gap analysis based on the current state

B.  

Create a roadmap to identify security baselines and controls.

C.  

Identify key stakeholders to champion information security.

D.  

Determine acceptable levels of information security risk.

A.  

To ensure industry best practices for enterprise security are followed

B.  

To establish the minimum level of controls needed

C.  

To determine the desired state of enterprise security

D.  

To satisfy auditors' recommendations for enterprise security

A.  

Determine recovery priorities.

B.  

Define the recovery point objective (RPO).

C.  

Confirm control effectiveness.

D.  

Analyze vulnerabilities.

A.  

Intrusion detection system (IDS)

B.  

Endpoint detection and response (EDR) solution

C.  

User and entity behavior analytics

D.  

Vulnerability scanning tools

A.  

Hardware and software inventories

B.  

Data restoration procedures

C.  

Information about eradication activities

D.  

Criteria for activation

A.  

review access rights as the acquisition integration occurs.

B.  

perform a risk assessment of the access rights.

C.  

escalate concerns for conflicting access rights to management.

D.  

implement consistent access control standards.

A.  

Organizational structure and culture

B.  

Risk tolerance and organizational objectives

C.  

The desired state of the organization

D.  

Information security personnel

A.  

Parallel test

B.  

Full interruption test

C.  

Simulation test

D.  

Tabletop test

A.  

Management's business goals and objectives

B.  

Strategies of other non-regulated companies

C.  

Risk assessment results

D.  

Industry best practices and control recommendations

A.  

Data masking

B.  

Data retention strategy

C.  

Data encryption standards

D.  

Data loss prevention (DLP)

A.  

Present the benefits of security awareness training

B.  

Describe how security enables business objectives

C.  

Describe potential impact of compromises

D.  

Present anticipated return on security investment

A.  

Maturity of the security policy

B.  

Clarity of security roles and responsibilities

C.  

Corporate culture

D.  

Corporate risk framework

A.  

increase return on investment (ROI)

B.  

provide feedback on control effectiveness

C.  

adopt security best practices

D.  

establish security benchmarks