Which of the following situations presents the greatest information security risk for an organization with multiple but small domestic processing locations?

The PRIMARY goal of a corporate risk management program is to ensure that an organization's:

Options are :

• . IT facilities and systems are always available
• stated objectives are achievable.
• IT assets in key business functions are protected.
• business risks are addressed by preventive controls.

Answer : stated objectives are achievable.

CISM Information Risk Management Certification Test

The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?

Options are :

• Visibility of impact
• Likelihood of occurrence
• Mitigating controls
• Incident frequency

Answer : Visibility of impact

Risk management programs are designed to reduce risk to:

Options are :

• a rate of return that equals the current cost of capital.
• the point at which the benefit exceeds the expense.
• a level that is too small to be measurable
• a level that the organization is willing to accept

Answer : a level that the organization is willing to accept

Which of the following will BEST protect an organization from internal security attacks?

Options are :

• Employee awareness certification program
• Internal address translation
• Static IP addressing
• Prospective employee background checks

Answer : Prospective employee background checks

CISM Information Security Governance Certified

Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?

Options are :

• Platform security
• Antivirus controls
• Intrusion detection
• Entitlement changes

Answer : Entitlement changes

Ongoing tracking of remediation efforts to mitigate identified risks can BEST be accomplished through the use of which of the following?

Options are :

• Tree diagrams
• Venn diagrams
• Heat charts
• Bar charts

Answer : Heat charts

In a business impact analysis, the value of an information system should be based on the overall cost:

Options are :

• of emergency operations.
• to recreate
• if unavailable.
• of recovery.

Answer : if unavailable.

CISM Information Security Governance Practice Test Set 2

Which of the following risks would BEST be assessed using quantitative risk assessment techniques?

Options are :

• A web site defaced by hackers
• Loss of the software development team
• Customer data stolen
• An electrical power outage

Answer : An electrical power outage

Risk acceptance is a component of which of the following?

Options are :

• Assessment
• Monitoring
• Evaluation
• Mitigation

Answer : Mitigation

The value of information assets is BEST determined by

Options are :

• information security management
• individual business managers.
• business systems analysts.
• industry averages benchmarking

Answer : individual business managers.

CISM Information Risk Management Certification Practice

The recovery point objective (RPO) requires which of the following?

Options are :

• Before-image restoration
• Disaster declaration
• System restoration
• After-image processing

Answer : Before-image restoration

Which two components PRIMARILY must be assessed in an effective risk analysis?

Options are :

• Likelihood and impact
• Visibility and duration
• Financial impact and duration
• Probability and frequency

Answer : Likelihood and impact

The impact of losing frame relay network connectivity for 18-24 hours should be calculated using the:

Options are :

• hourly billing rate charged by the carrier.
• aggregate compensation of all affected business users.
• financial losses incurred by affected business units.
• value of the data transmitted over the network.

Answer : financial losses incurred by affected business units.

CISM Incident Management Response Certified Practice Exam Set 2

Acceptable risk is achieved when:

Options are :

• transferred risk is minimized.
• control risk is minimized.
• residual risk is minimized
• inherent risk is minimized.

Answer : residual risk is minimized

An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:

Options are :

• vulnerability.
• probability.
• loss
• threat.

Answer : vulnerability.

A risk assessment should be conducted:

Options are :

• by external parties to maintain objectivity.
• annually or whenever there is a significant change.
• every three to six months for critical business processes.
• once a year for each business process and subprocess.

Answer : annually or whenever there is a significant change.

CISM Information Security Program Management Practice

Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?

Options are :

• Information security manager
• Chief operations officer (COO)
• Internal audit
• Business continuity coordinator

Answer : Chief operations officer (COO)

Which of the following will BEST prevent external security attacks?

Options are :

• Background checks for temporary employees
• Static IP addressing
• Network address translation
• Securing and analyzing system access logs

Answer : Network address translation

A risk analysis should:

Options are :

• give more weight to the likelihood vs. the size of the loss.
• assume an equal degree of protection for all assets.
• address the potential size and likelihood of loss.
• include a benchmark of similar companies in its scope.

Answer : address the potential size and likelihood of loss.

CISM Information Security Program Management Practice Exam

The MOST effective way to incorporate risk management practices into existing production systems is through:

Options are :

• change management.
• awareness training.
• policy development.
• regular monitoring

Answer : change management.

Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?

Options are :

• Risk analysis
• Gap analysis
• Business impact analysis
• Regression analysis

Answer : Business impact analysis

When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:

Options are :

• the information security steering committee
• regulatory- agencies overseeing privacy.
• data owners who may be impacted.
• customers who may be impacted.

Answer : data owners who may be impacted.

Based on the information provided, which of the following situations presents the GREATEST information security risk for an organization with multiple, but small, domestic processing locations?

Options are :

• Systems development is outsourced
• Change management procedures are poor
• Systems operation procedures are not enforced
• Systems capacity management is not performed

Answer : Change management procedures are poor

Which of the following groups would be in the BEST position to perform a risk analysis for a business?

Options are :

• A specialized management consultant
• A peer group within a similar business
• Process owners
• External auditors

Answer : Process owners

Which of (lie following would be the MOST relevant factor when defining the information classification policy?

Options are :

• Benchmarking
• Requirements of data owners
• Available IT infrastructure
• Quantity of information

Answer : Requirements of data owners

CISM Information Security Program Management Test

When performing a qualitative risk analysis, which of the following will BEST produce reliable results?

Options are :

• Possible scenarios with threats and impacts
• Estimated productivity losses
• Vulnerability assessment
• Value of information assets

Answer : Possible scenarios with threats and impacts

The PRIMARY reason for initiating a policy exception process is when:

Options are :

• operations are too busy to comply.
• users may initially be inconvenienced.
• policy compliance would be difficult to enforce
• the risk is justified by the benefit.

Answer : the risk is justified by the benefit.

An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?

Options are :

• Key performance indicators (KPIs)
• Gap analysis
• Business impact analysis (BIA)
• Technical vulnerability assessment

Answer : Gap analysis

Cism Information Security Program Development Practice

The MOST effective use of a risk register is to:

Options are :

• facilitate a thorough review of all IT-related risks on a periodic basis.
• identify threats and probabilities.
• record the annualized financial amount of expected losses due to risks.
• identify risks and assign roles and responsibilities for mitigation.

Answer : facilitate a thorough review of all IT-related risks on a periodic basis.

An information security organization should PRIMARILY:

Options are :

• be responsible for setting up and documenting the information security responsibilities of the information security team members.
• ensure that the information security policies of the company are in line with global best practices and standards
• ensure that the information security expectations are conveyed to employees
• support the business objectives of the company by providing security-related support services.

Answer : support the business objectives of the company by providing security-related support services.

An organization has decided to implement additional security controls to treat the risks of a new process. This is an example of:

Options are :

• mitigating the risk.
• eliminating the risk
• accepting the risk.
• transferring the risk

Answer : mitigating the risk.

CISM Information Risk Management Certification

Which of the following are the essential ingredients of a business impact analysis (B1A)?

Options are :

• Structure of the crisis management team
• Cost of business outages in a year as a factor of the security budget
• Downtime tolerance, resources and criticality
• Business continuity testing methodology being deployed

Answer : Downtime tolerance, resources and criticality

After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?

Options are :

• IT audit manager
• Business manager
• Senior management
• Information security officer (ISO)

Answer : Business manager