CISM Sample Exam

1. Which of the following factors BEST helps determine the appropriate protection level
for an information asset?

A. The cost of acquisition and implementation of the asset.

B. Knowledge of vulnerabilities present in the asset.
C. The degree of exposure to known threats.
D. The criticality of the business function supported by the asset.

2. Which of the following vulnerabilities allowing attackers access to the application

database is the MOST serious?

A. Validation checks are missing in data input pages.

B. Password rules do not allow sufficient complexity.
C. Application transaction log management is weak.
D. Application and database share a single access ID.

3. An organization is MOST likely to include an indemnity clause in a service level

agreement (SLA) because an indemnity clause:

A. Reduces the likelihood of an incident.

B. Limits impact to the organization.
C. Is a regulatory requirement?
D. Ensures performance

4. What is the MOST essential attribute of an effective key risk indicator (KRI)?

A. The KRI is accurate and reliable.

B. The KRI provides quantitative metrics.
C. The KRI indicates required action.
D. The KRI is predictive of a risk event.
 5. Which of the following actions should the information security manager take FIRST on
finding that current controls are not sufficient to prevent a serious compromise?

A. Strengthen existing controls.

B. Reassess the risk.
C. Set new control objectives.
D. Modify security baselines.

6. A security strategy is important for an organization primarily because it provides:

A. A basis for determining the best logical security architecture for the
organization
B. Management intent and direction for security activities
C. Provides users guidance on how to operate securely in everyday tasks
D. Helps IT auditors ensure compliance

7. The most important reason to make sure there is good communication about security
throughout the organization is:

A. To make security more palatable to resistant employees

B. Because people are the biggest security risk
C. To inform business units about security strategy
D. To conform to regulations requiring all employees to be informed about security

8. The regulatory environment for most organizations mandates a variety of security -

related activities. It is most important that the information security manager:

A. Relies on corporate counsel to advise which regulations are the most relevant
B. Stays current with all relevant regulations and requests legal interpretation
C. Involves all impacted departments and treats regulations as just another risk
D. Ignores many of the regulations that have no teeth
9. The most important consideration in developing security policies is:

A. They are based on a threat profile.

B. They are complete, and no detail is left out.
C. Management signs off on them.
D. All employees read and understand them.

10. Which one of the following regulatory schemes introduces information security
requirements specific to the handling of credit cards?

A. FERPA
B. SOX
C. HIPAA
D. PCI DSS

11. The assignment of roles and responsibilities will be most effective if:

A. There is senior management support

B. The assignments are consistent with proficiencies
C. Roles are mapped to required competencies
D. Responsibilities are undertaken on a voluntary basis

12. The primary benefit that organizations derive from effective information security
governance is:

A. Ensuring appropriate regulatory compliance

B. Ensuring acceptable levels of disruption
C. Prioritizing allocation of remedial resources
D. Maximizing return on security investments
13. Information security Management is a component of which of the following
frameworks?

A. IT Service Management
B. Corporate Governance
C. Enterprise IT Management
D. All of the above

14. Betty is preparing to publish a new Information Security Policy for her organization and
is drafting an email message announcing the new policy and informing employees
about their responsibilities. Who would be the most effective signatory for the
message?

A. President/CEO
B. Policy Administrator
C. Chief Information Officer
D. Information Security Officer

15. What international standard provides a consistent set of security objectives for
information technology and is published by ISACA?

A. SP 800-53
B. ITIL
C. ISO 27001
D. COBIT

16. The most important consideration in developing security policies is:

A. They are based on a threat profile

B. They are complete, and no detail is left out
C. Management signs off on them
D. All employees read and understand them.
17. Bill is designing an information security governance strategy for his organization. His
primary objective is to choose a strategy that minimizes the variability in control
implementation across the organization. Which governance strategy would best meet
this goal?

A. Hybrid
B. Flexible
C. Centralized
D. Distributed

18. Which one of the following items is not commonly found in an information security
governance framework?

A. Security Standards
B. Security Strategies
C. Security Guidelines
D. Security Policies

19. Which of the following is not normally a part of the Information Security Management
System framework created by Security policies?

A. Control
B. Evaluate
C. Report
D. Plan

20. Which of the following is a function of Information Security Management?

A. Oversight
B. Utilization of resources
C. Allocation of resources
D. Strategic planning
21. Which of the following is part of a security governance framework?

A. Risk Management
B. Organization Structure
C. Compliance Monitoring
D. All of the above

22. Which of the following standards was introduced by the ITGI?

A. COBIT
B. NIST 800-53A
C. ISO 17799
D. SysTrust

23. Improved response is a benefit of what implementation form of information security

governance?

A. Fast path
B. Distributed
C. Centralized
D. All of the above

24. Ownership of information provides support to what security objective?

A. Confidentiality
B. Availability
C. Integrity
D. Accountability

25. Which security practice is used to reduce the collusion of activities?

A. Least Privileges
B. Job Sensibility
C. Separation of Duties
D. Job Rotation
26. Which of the following is not used by Kerberos to protect the network?

A. Authorization
B. Accounting
C. Authentication
D. Auditing

27. Which change model is used to handle highly critical changes?

A. Critical Change
B. Normal Change
C. Standard Change
D. Emergency Change

28. Pattern matching is used by what security technology?

A. Biometric scan
B. Authentication device
C. Intrusion Detection System
D. Access Control List

29. What technology of identity management is used to avoid replication of data?

A. Directories
B. Profiles
C. Web access
D. Account management

30. Smart devices are a form what type of technical control?

A. Single-factor authentication
B. Two-factor authentication
C. Three-factor authentication
D. All of the above
31. Comparison of current performance against potential performance is a function of what
type of risk assessment method?

A. Baseline Modeling
B. Cost Benefit Analysis
C. Qualitative Analysis
D. Gap analysis

32. When a control operates without needing to overlap its activities with another control,
the control is considered what?

A. Distinct
B. Independent
C. Reliable
D. Sustainable

33. Which security policy covers the behaviour of remote employees in conducting
business offsite?
A. Data Protection
B. Proper use of IT assets
C. Social Responsibility
D. Security Awareness

34. The authoritative voice behind information security governance falls to what business
function?

A. Steering Committee
B. Chief Information Security Officer
C. Board of Directors
D. Executives
35. The alignment of information security objectives with business strategy is the function
of what discipline?

A. Information Security Management

B. Information Security Controls
C. Information Security Governance
D. All of the above

36. What is the security concern that incorporates preventing the accuracy and
completeness of information from being altered from unauthorized sources?

A. Integrity
B. Availability
C. Confidentiality
D. Accountability

37. What type of security measure ensures that security incidents can be handled at the
earliest moment possible?

A. Preventive
B. Detective
C. Reductive
D. Repressive

38. Ensuring all decision-making structure and activities are available to inspect describes
what characteristics of information Security Governance?

A. Responsibility
B. Fairness
C. Accountability
D. Transparency
39. Which of the following statements are true?

A. Risks are a primary driver of security solutions

B. Information security is a technical issue
C. All security policies can be automated
D. Security solutions would not be required if people were trustworthy

40. An exploitable weakness of an asset is called what?

A. Threat
B. Vulnerability
C. Risk
D. Control

41. What type of malicious software is used to track user information and activities?

A. Password crackers
B. Mobile code
C. Trojan horses
D. Spyware

42. Traffic can be permitted and denied using what security control?

A. Passwords
B. Routers
C. Access Control Lists
D. All of the above
43. Which of the following encryption algorithms is an example of an asymmetric
algorithm?

A. DES
B. RSA
C. AES
D. RD5

44. Retina scans is a form of what type of authentication device?

A. Biometric
B. Synchronous
C. Asynchronous
D. Integrated Circuit

45. Which of the following is not an administrative security control?

A. Monitoring
B. Protocols
C. User Management
D. Policies

46. Which word below best describes qualitative risk assessment?

A. Objective
B. Measurable
C. Descriptive
D. Time-consuming

47. Insurance is a form of what risk management technique?

A. Risk Mitigation
B. Risk Avoidance
C. Risk Acceptance
D. Risk Transfer
48. What are security activities driven by?

A. Policies
B. Risks
C. Problems
D. All of the above

49. Which of the following is not a characteristic of Information Security Governance?

A. Responsibility
B. Dependency
C. Accountability
D. Fairness

50. Access control id an example of what type of security measure?

A. Preventive
B. Detective
C. Corrective
D. Reductive

51. Which of the following is an objective of information security management?

A. Ensuring trust information exchanges between enterprises, partners, and

customers
B. Preventing unauthorized modification of information
C. Ensuring the availability of information when required
D. All of the above
52. An interruption in business productivity is considered what type of risk?

A. Strategic
B. Operational
C. Reporting
D. Legal

53. What is the process for selecting and implementing measures to impact risk called?

A. Risk Management
B. Risk Treatment
C. Risk Assessment
D. Control

54. Which of the following responses to risk is considered the most appropriate?

A. Avoiding
B. Accepting
C. Insuring
D. Any of the above

55. The sustainability of a control refers to what ability?

A. The ability to adapt as new elements are added to the environment.

B. The ability to be applied in the same manner throughout the organization.
C. The ability to ensure the control remains in place when it fails.
D. The ability to protect itself from exploitation or attack.
56. What is the amount of risk that an organization is willing to except called?

A. Aversion
B. Hedging
C. Appetite
D. All of the above

57. Which one of the following is not a core goal of information security?

A. Availability
B. Authorization
C. Confidentiality
D. Integrity

58. What individual in an organization bears direct responsibility for ensuring the
protection of business information through risk management, user education, control
implementation, incident management and related tasks?

A. President/CEO
B. Information Security Officer
C. Board Chairperson
D. Chief Information Officer

59. Which of the following is not a principal of access controls?

A. Reliability
B. Availability
C. Confidentiality
D. Integrity
60. Who has primary responsibility for the governance of a publicly traded corporation?

A. Shareholders
B. Board of Directors
C. President
D. Chief Executive Officer

61. Which one of the following types of metric measures the actions that lead to an
organization achieving its primary strategic direction?

A. KSI
B. KRI
C. KGI
D. KPI
62. Which of the following choices BEST justifies an information security program?

A. The Impact on critical IT assets

B. A detailed business case
C. Steering committee approval
D. User acceptance

63. Information security policy development should PRIMARILY be based on?

A. Vulnerabilities
B. Exposures
C. Threats
D. Impacts
64. A company uses a single employee to update the servers, review the audit logs and
maintain access controls. Which of the following choices is the BEST compensating
control?

A. Verify that only approved changes are made.

B. Perform quarterly penetration tests
C. Perform monthly vulnerability scans
D. Implement supervisor review of log files

65. Which of the following requirements is the MOST important when developing
information security governance?

A. Complying with applicable corporate Standards

B. Achieving cost effectiveness of risk mitigation
C. Obtaining consensus of business units
D. Aligning with organizational goals

66. What is the MOST important consideration when developing a business case for an
information security investment?

A. The impact on the risk profile of the organization.

B. The acceptability to the board of directors
C. The implementation benefits
D. The affordability to the organization

67. Which of the following operational risks represents the assurance that the provision of
a quality product is not overshadowed by the production costs of that product?

A. Information security risks

B. Profitability operational risks
C. Project Activity risks
D. Contract and product liability risks
68. Which of the following is not a principal of risk management?

A. Risk is both threat and opportunity

B. Risk management provides higher value to the company
C. Risk can be measured
D. Risk management is the responsibility of executive management

69. Which risk management step is responsible for identifying the interdependencies
between groups of risks?

A. Identification
B. Monitoring
C. Assessment
D. Prioritization.

70. What is a risk register?

A. An identification method
B. An inventory of exposures
C. A Schedule of monitored risks
D. All of the above

71. Which of the following is not a variable found in quantitative assessments of risks?

A. Frequency
B. Probability
C. Impact
D. Cost
72. Passwords are a form of what type of security control?

A. Logical
B. Administrative
C. Physical
D. All of the above

73. Which of the following assessment methods is a quantitative assessment?

A. CCTA Risk Analysis and Management Method

B. Facilitated Risk Analysis Process
C. Spanning Tree Analysis
D. OCTAVE

74. Risks to an organization’s image are considered what type of risk?

A. Strategic
B. Financial
C. Information
D. Operational

75. What is the greatest risk to reporting?

A. Reliability of data
B. Availability of data
C. Integrity of data
D. Confidentiality of data
76. An organization has decided to implement governance, risk and compliance (GRC)
processes into several critical areas of the enterprise. Which of the following objectives
is the MAIN one?

A. To reduce governance cost

B. To improve risk management
C. To harmonize security activities
D. To meet or maintain regulatory compliance

77. Requirements for an information security program should be based PRIMARILY on

which of the following choices?

A. Governance policies
B. Desired outcomes
C. Specific objectives
D. The security strategy

78. Which of the following choices is the BEST indication that the information security
manager is achieving the objective of value delivery?

A. Having a high resource utilization

B. Reducing the budget requirements
C. Utilizing the lowest cost vendors
D. Minimizing the loaded staff cost

79. Governance, risk and compliance (GRC) is an emerging approach PRIMARILY for
achieving:

A. Enhanced risk management.

B. Better classification processes.
C. Assurance process integration.
D. Increased executive accountability.
80. Which of the following choices would provide the BEST measure of the effectiveness
of the security strategy?

A. Minimizing risk across the enterprise

B. Countermeasures existing for all known threats
C. Losses consistent with annual loss expectations (ALEs)
D. The extent to which control objectives are met

81. The BEST approach to developing an information security program is to use a?

A. Process.
B. Framework.
C. Model.
D. Guideline.

82. Which of the following choices would be the MOST significant key risk indicator (KRI)?

A. A deviation in employee turnover

B. The number of packets dropped by the firewall
C. The number of viruses detected
D. The reporting relationship of IT

83. New regulatory and legal compliance requirements that will have an effect on
information security will MOST likely come from the:

A. Corporate legal officer.

B. Internal audit department.
C. Affected departments.
D. Compliance officer.
84. Which of the following choices is the BEST indicator of the state of information security
governance?

A. A defined maturity level

B. A developed security strategy
C. Complete policies and standards
D. Low numbers of incidents

85. Information security governance must be integrated into all business functions and
activities PRIMARILY to:

A. Maximize security efficiency.

B. Standardize operational activities.
C. Achieve strategic alignment.
D. Address operational risk.

86. Maturity levels are an approach to determine the extent that sound practices have
been implemented in an organization based on outcomes. Another approach that has
been developed to achieve essentially the same result is:

A. Controls applicability statements.

B. Process performance and capabilities.
C. Probabilistic risk assessment (PRA).
D. Factor analysis of information risk (FAIR).

87. Which of the following metrics will provide the BEST indication of organizational risk?

A. Annual loss expectancy (ALE)

B. The number of information security incidents
C. The extent of unplanned business interruptions
D. The number of high-impact vulnerabilities
88. Which of the following choices would influence the content of the information security
strategy to the GREATEST extent?

A. Emerging technology
B. System compromises
C. Network architecture
D. Organizational goals

89. Senior management is reluctant to budget for the acquisition of an intrusion prevention
system (IPS). The chief information security officer (CISO) should do which of the
following activities?

A. Develop and present a business case for the project.

B. Seek the support of the users and information asset custodians.
C. Invite the vendor for a proof of concept demonstration.
D. Organize security awareness training for management.

90. Which of the following choices would BEST align information security objectives to
business objectives?

A. A capability maturity model (CMM)

B. A process assessment model
C. A risk assessment and analysis
D. A business balanced scorecard (BSC)

91. Which of the following choices is the BEST attribute of key risk indicators (KRIs)?

A. High flexibility and adaptability

B. Consistent methodologies and practices
C. Robustness and resilience
D. The ratio of cost to benefit
92. Which of the following recommendations is the BEST one to promote a positive
information security governance culture within an organization?

A. Strong oversight by the audit committee

B. Organizational governance transparency
C. Collaboration across business lines
D. Positive governance ratings by stock analysts

93. The enactment of policies and procedures for preventing hacker intrusions is an
example of an activity that belongs to?

A. Risk management.
B. Compliance.
C. IT management.
D. Governance.

94. Which of the following choices is a necessary attribute of an effective information

security governance framework?

A. An organizational structure with minimal conflicts of interest, with sufficient

resources and defined responsibilities
B. Organizational policies and guidelines in line with predefined procedures
C. Business objectives aligned with a predefined security strategy
D. Security guidelines that address multiple facets of security such as strategy,
regulatory compliance and controls

95. Business goals define the strategic direction of the organization. Functional goals
define the tactical direction of a business function. Security goals define the security
direction of the organization. What is the MOST important relationship between these
concepts?

A. Functional goals should be derived from security goals.

B. Business goals should be derived from security goals.
C. Security goals should be derived from business goals.
D. Security and business goals should be defined independently from each other.
96. An enterprise has been recently subject to a series of denial-of-service (DoS) attacks
due to a weakness in security. The information security manager needs to present a
business case for increasing the investment in security. The MOST significant
challenge in obtaining approval from senior management for the proposal is:

A. Explaining technology issues of security.

B. Demonstrating value and benefits.
C. Simulating various risk scenarios.
D. Obtaining benchmarking data for comparison.

97. Which of the following choices is the MOST important consideration when developing
the security strategy of a company operating in different countries?

A. Diverse attitudes toward security by employees and management

B. Time differences and the ability to reach security officers
C. A coherent implementation of security policies and procedures in all countries
D. Compliance with diverse laws and governmental regulations

98. Information security frameworks can be MOST useful for the information security
manager because they:

A. Provide detailed processes and methods.

B. Are designed to achieve specific outcomes.
C. Provide structure and guidance.
D. Provide policy and procedure.

99. The MOST important element(s) to consider when developing a business case for a
project is the:

A. Feasibility and value proposition.

B. Resource and time requirements.
C. Financial analysis of benefits.
D. Alignment with organizational objectives.
100. Which of the following choices is the MOST likely cause of significant inconsistencies
in system configurations?

A. A lack of procedures
B. Inadequate governance
C. Poor standards
D. Insufficient training

101. Which of the following should be the FIRST-step in developing an information security
plan?

A. Perform a technical vulnerabilities assessment

B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness

102. Senior management commitment and support for information security can BEST be
obtained through presentations that:

A. Use illustrative examples of successful attacks.

B. Explain the technical risks to the organization.
C. Evaluate the organization against best security practices.
D. The security risks to key business objectives

103. The MOST appropriate role for senior management in supporting information security
is the:

A. Evaluation of vendors offering security products

B. Assessment of risks to the organization
C. Approval of policy statements and funding
D. Monitoring adherence to regulatory requirements
104. Which of the following would BEST ensure the success of information security
governance within an organization?

A. Steering committees approve security projects

B. Security policy training provided to all managers
C. Security training available to all employees on the intranet
D. Steering committees enforce compliance with laws and regulations

105. Information security governance is PRIMARILY driven by:

A. Technology constraints.
B. Regulatory requirements.
C. Litigation potential.
D. Business strategy

106. Which of the following represents the MAJOR focus of privacy regulations?

A. Unrestricted data mining

B. Identity theft
C. Human rights protection.
D. Identifiable personal data

107. Investments in information security technologies should be based on:

A. Vulnerability assessments.
B. Value analysis.
C. Business climate.
D. Audit recommendations.
108. Retention of business records should PRIMARILY be based on?

A. Business strategy and direction

B. Regulatory and legal requirements
C. Storage capacity and longevity
D. Business ease and value analysis

109. Which of the following is characteristic of centralized information security

management?

A. More expensive to administer

B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests

110. Successful implementation of information security governance will FIRST require:

A. Security awareness training.

B. Updated security policies.
C. A computer incident management team
D. A security architecture

111. Which of the following individuals would be in the BEST position to sponsor the
creation of an information security steering group?

A. Information security manager

B. Chief operating officer (COO)
C. Internal auditor
D. Legal counsel
112. The MOST important component of a privacy policy is:

A. Notifications
B. Warranties
C. Liabilities
D. Geographic coverage

113. The cost of implementing a security control should not exceed the:

A. Annualized loss expectancy

B. Cost of an incident
C. Asset value.
D. Implementation opportunity costs

114. When security standard conflicts with a business objective, the situation should be
resolved by:

A. Changing the security standard

B. Changing the business objective
C. Performing a risk analysis
D. Authorizing a risk acceptance.

115. Minimum standards for securing the technical infrastructure should be defined in a
security:

A. Strategy
B. Guidelines
C. Model.
D. Architecture
116. Which of the following is MOST appropriate for inclusion in an information security
strategy?

A. Business controls designated as key controls

B. Security processes, methods, tools and techniques
C. Firewall rule sets, network defaults and intrusion detection system (IDS)
settings
D. Budget estimates to acquire specific security tools

117. Senior management commitment and support for information security will BEST be
attained by an information security manager by emphasizing:

A. Organizational risk.
B. Organization wide metrics
C. Security needs
D. The responsibilities of organizational units.

118. Which of the following roles would represent a conflict of interest for an information
security manager?

A. Evaluation of third parties requesting connectivity

B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies
D. Monitoring adherence to physical security controls

119. Which of the following situations must be corrected FIRST to ensure successful
information security governance within an organization?

A. The information security department has difficulty filling vacancies.

B. The chief information officer (CIO) approves security policy changes.
C. The information security oversight committee only meets quarterly.
D. The data center manager has final signoff on all security projects.
120. Which of the following requirements would have the lowest level of priority in
information security?

A. Technical
B. Regulatory
C. Privacy
D. Business

121. When an organization hires a new information security manager, which of the following
goals should this individual pursue FIRST?

A. Develop a security architecture

B. Establish good communication with steering committee members
C. Assemble an experienced staff
D. Benchmark peer organizations

122. It is MOST important that information security architecture be aligned with which of the
following?

A. Industry best practices

B. Information technology plans
C. Information security best practices
D. Business objectives and goals

123. Which of the following is MOST likely to be discretionary?

A. Policies
B. Procedures
C. Guidelines
D. Standards
124. Security technologies should be selected PRIMARILY on the basis of their:

A. Ability to mitigate business risks

B. Evaluations in trade publications
C. Use of new and emerging technologies
D. Benefits in comparison to their costs

125. Which of the following are seldom changed in response to technological changes?

A. Standards
B. Procedures
C. Policies
D. Guidelines

126. The MOST important factor in planning for the long-term retention of electronically
stored business records is to take into account potential changes in:

A. Storage capacity and shelf life.

B. Regulatory and legal requirements.
C. Business strategy and direction.
D. Application systems and media.

127. Which of the following is characteristic of decentralized information security

management across a geographically dispersed organization?

A. More uniformity in quality of service

B. Better adherence to policies
C. Better alignment to business unit needs
D. More savings in total operating costs
128. Which of the following is the MOST appropriate position to sponsor the design and
implementation of a new security infrastructure in a large global enterprise?

A. Chief security officer (CSO)

B. Chief operating officer (COO)
C. Chief privacy officer (CPO)
D. Chief legal counsel (CLC)

129. The PRIMARY goal in developing an information security strategy is to:

A. Establish security metrics and performance monitoring.

B. Educate business process owners regarding their duties.
C. Ensure that legal and regulatory requirements are met.
D. Support the business objectives of the organization.

130. Which of the following BEST describes an information security manager's role in a
multidisciplinary team that will address a new regulatory requirement regarding
operational risk?

A. Ensure that all IT risks are identified

B. Evaluate the impact of information security risks
C. Demonstrate that IT mitigating controls are in place
D. Suggest new IT controls to mitigate operational risk

131. Risk management programs are designed to reduce risk to:

A. A level that is too small to be measurable.

B. The point at which the benefit exceeds the expense.
C. A level that the organization is willing to accept.
D. A rate of return that equals the current cost of capital
132. Acceptable risk is achieved when:

A. Residual risk is minimized.

B. Transferred risk is minimized.
C. Control risk is minimized.
D. Inherent risk is minimized.

133. How would an information security manager balance the potentially conflicting
requirements of an international organization's security standards and local regulation?

A. Give organization standards preference over local regulations

B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes
conflicts
D. Negotiate a local version of the organization standards

134. An information security manager at a global organization that is subject to regulation

by multiple governmental jurisdictions with differing requirements should:

A. Bring all locations into conformity with the aggregate requirements of all
governmental jurisdictions.
B. Establish baseline standards for all locations and add supplemental standards
as required.
C. Bring all locations into conformity with a generally accepted set of industry best
practices.
D. Establish a baseline standard incorporating those requirements that all
jurisdictions have in common
135. What is the PRIMARY role of the information security manager in the process of
information classification within an organization?

A. Defining and ratifying the classification structure of information assets

B. Deciding the classification levels applied to the organization's information
assets
C. Securing information assets in accordance with their classification
D. Checking if information assets have been classified properly

136. An internal audit has identified major weaknesses over IT processing. Which of the
following should an information security manager use to BEST convey sense of
urgency to management?

A. Security metrics reports

B. Risk assessment reports
C. Business impact analysis (BIA)
D. Return on security investment report

137. Which of the following is MOST important in developing a security strategy?

A. Creating a positive business security environment

B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security

138. To achieve effective strategic alignment of security initiatives, it is important that:

A. Steering committee leadership must be selected by rotation.

B. Inputs be obtained and consensus achieved between the major organizational
units.
C. The business strategy must be updated periodically.
D. Procedures and standards must be approved by all departmental heads
139. A risk assessment should be conducted:

A. Once a year for each business process and sub process.

B. Every three-to-six month for critical business processes
C. By external parties to maintain objectivity
D. Annually or whenever there is a significant change.

140. Logging is an example of which type of defense against systems compromise?

A. Containment
B. Detection
C. Reaction
D. Recovery

141. Which of the following results from the risk assessment process would BEST assist
risk management decision-making?

A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk

142. What would a security manager PRIMARILY utilize when proposing the
implementation of a security solution?

A. Risk assessment report

B. Technical evaluation report
C. Business case
D. Budgetary requirements
143. Temporarily deactivating some monitoring processes, even if supported by an
acceptance of operational risk, may not be acceptable to the information security
manager if?

A. It implies compliance risks.

B. Short-term impact cannot be determined.
C. It violates industry security practices.
D. Changes in the roles matrix cannot be detected.

144. Identification and prioritization of business risk enable project managers to?

A. Establish implementation milestones.

B. Reduce the overall amount of slack time.
C. Address areas with most significance.
D. Accelerate completion of critical paths.

145. A security manager meeting the requirements for the international flow of personal
data will need to ensure?

A. A data processing agreement.

B. A data protection registration.
C. The agreement of the data subjects.
D. Subject access procedures.

146. Who in an organization has the responsibility for classifying information?

A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner
147. Based on the information provided, which of the following situations presents the
GREATEST information security risk for an organization with multiple, but small,
domestic processing locations?

A. Systems operation procedures are not enforced

B. Change management procedures are poor
C. Systems development is outsourced
D. Systems capacity management is not performed

148. Which of the following is responsible for legal and regulatory liability?

A. Chief security officer (CSO)

B. Chief legal counsel (CLC)
C. Board and senior management
D. Information security steering group

149. Which of the following factors is a primary driver for information security governance
that does not require any further justification?

A. Alignment with industry best practices

B. Business continuity investment
C. Business benefits
D. Regulatory compliance

150. In order to highlight to management the importance of integrating information

security in the business processes, a newly hired information security officer should
FIRST:

A. Prepare a security budget.

B. Conduct a risk assessment.
C. Develop an information security policy.
D. Obtain benchmarking information.