CISM Practice Questions

A.  

Selecting quality metrics to monitor business performance

B.  

Estimating the likelihood that end-to-end processes will be disrupted

C.  

Obtaining reserve funding to prepare for possible business failures

D.  

Identifying critical functions for business operations

A.  

Conducting a control assessment

B.  

Developing an emerging technology roadmap

C.  

Providing effective risk governance

D.  

Developing an acceptable use policy

A.  

Value of the information asset in the marketplace

B.  

Criticality to a business process

C.  

Risk assessment from the data owner

D.  

Cost of producing the information asset

A.  

Instruct IT to deploy controls based on urgent business needs.

B.  

Present a business case for additional controls to senior management.

C.  

Solicit bids for compensating control products.

D.  

Recommend a different application.

A.  

Develop new security standards.

B.  

Maintain a security exceptions process.

C.  

Discontinue affected activities until security requirements can be met.

D.  

Apply additional logging and monitoring to affected assets.

A.  

Establish an information security steering committee.

B.  

Employ a process-based approach for information asset classification.

C.  

Utilize an industry-recognized risk management framework.

D.  

Provide security awareness training to board executives.

A.  

New services offered by IT

B.  

Changes to the risk landscape

C.  

A recent cybersecurity attack

D.  

A new technology implemented

A.  

Wider range of capabilities

B.  

Easier implementation across an organization

C.  

Greater ability to focus on core business operations

D.  

Lower cost of operations

A.  

information security best practices.

B.  

risk management techniques.

C.  

the threat environment.

D.  

the corporate culture.

A.  

consider the organizations business strategy.

B.  

consider the strategic objectives of the program.

C.  

leverage industry benchmarks.

D.  

identify the program's risk and compensating controls.

A.  

It transfers the risk associated with recovery to a third party.

B.  

It lowers the annual cost to the business.

C.  

It eliminates the need to maintain offsite facilities.

D.  

It eliminates the need for the business to perform testing.

A.  

Maintain the affected systems in a forensically acceptable state

B.  

Conduct a risk assessment on the affected application

C.  

Inform senior management of the breach.

D.  

Isolate the impacted systems from the rest of the network

A.  

maintain a strict chain of custody.

B.  

provide effective triage and containment of the incident.

C.  

remove the threat and restore affected systems

D.  

obtain forensic evidence from the affected system.

A.  

Security baselines

B.  

A gap analysis

C.  

A SWOT analysis

D.  

A balanced scorecard

A.  

Updated risk assessments

B.  

Counts of information security incidents

C.  

Audit reports

D.  

Monthly metrics

A.  

baseline security controls.

B.  

benchmarking security metrics.

C.  

security objectives.

D.  

cost-benefit analyses.

A.  

The board of directors

B.  

The chief information security officer (ClSO)

C.  

The enterprise risk committee

D.  

The chief information officer (CIO)

A.  

the chief risk officer (CRO).

B.  

business senior management.

C.  

the information security manager.

D.  

the compliance officer.

A.  

Perform penetration testing on affected systems.

B.  

Scan IT systems for operating system vulnerabilities.

C.  

Review change in business requirements for information security.

D.  

Assess impact on information security risk.

A.  

Install additional application controls.

B.  

Notify senior management.

C.  

Invoke the incident response plan.

D.  

Prevent access to the application.