CISM Test 1

Multiple Choice Questions

1. Which of the following is an indicator of effective governance? (60)
a. A defined information security architecture
b. Compliance with international security standards
c. Periodic external audits
d. An established risk management program
ANS: D
2. Which of the following is characteristic of centralized information security management? (1)
a. more expensive to administer
b. better adherence to policies
c. more aligned with business unit needs
d. faster turnaround of requests
ANS: B
3. Obtaining senior management support for establishing a warm site can BEST be accomplished by
(121)
a. Establishing a periodic risk assessment
b. Promoting regulatory requirements
c. Developing a business case
d. Developing effective metrics
ANS: C
4. Which of the following would help to change an organizations security culture (123)
a. Develop procedures to enforce the information security policy
b. Obtain strong management support
c. Implement strict technical controls
d. Periodically audit compliance with the information security policy
ANS: B
5. During a stakeholder meeting, a question was asked regarding who is ultimately accountable for the
protection and security of sensitive data. Assuming that all of the choices below exist in the enterprise,
which would be the MOST appropriate? (158)
a. Security administrators
b. The IT steering committee
c. The board of directors
d. The information security manager
ANS: C
6. It is MOST important that information security architecture be aligned with which of the
following? (62)
a. Industry best practices
b. Business goals and objectives
c. Information technology (IT) plans
d. International information security framework
ANS: B
7. What is the PRIMARY role of the information security manager in the process of information
classification within an organization? (147)
a. Defining and ratifying the classification structure of information assets

Test 1 (S1, 2014) Page 1/6

b. Deciding the classification levels applied to the organizations information assets

c. Securing information assets in accordance with their classification
d. Checking if information assets have been classified properly
ANS: A
8. The data access requirements for an application should be determined by the: (152)
a. Legal department
b. Compliance officer
c. Information security manager
d. Business owner
ANS: D
9. While implementing information security governance an organization should FIRST (# 43)
a. Adopt security standards
b. Determine security baseline
c. Define the security strategy
d. Establish security policies
ANS: C
10. An information security manager at a global organization has to ensure that the local information
security program will initially ensure compliance with the (102)
a. Corporate data privacy policy
b. Data privacy policy where data are collected
c. Data privacy policy of the headquarters country
d. Data privacy directive applicable globally
ANS: B
11. Data owners are PRIMARILY responsible for: (157)
a. Providing access to systems
b. Approving access to systems
c. Establishing authorization and authentication
d. Handling identity management
ANS: B
12. Senior management commitment and support for information security will BEST be attained by
an information security manager by emphasizing (114)
a. Organizational risk
b. Organization wide metrics
c. Security needs
d. The responsibilities of organizational units
ANS: A
13. The cost of implementing a security control should not exceed the (86)
a. Annualized loss expectancy
b. Cost of an incident
c. Asset value
d. Implementation opportunity costs
ANS: C
14. Which of the following is the BEST justification to convince management to invest in an
information security program (122)
a. Cost reduction

Test 1 (S1, 2014) Page 2/6

b. Compliance with company policies

c. Protection of business assets
d. Increased business value
ANS: D
15. What is the MOST important item to be included in an information security policy? (75)
a. The definition of roles and responsibilities
b. The scope of the security program
c. The key objectives of the security program
d. Reference to procedures and standards of the security program
ANS: C
16. Which of the following would be the BEST step when developing a business case for an
information security investment? (93)
a. Defining the objectives
b. Calculating the cost
c. Defining the need
d. Analysing the cost effectiveness
ANS: C
17. In implementing information security governance, the information security manager is
PRIMARILY responsible for: (48)
a. Developing the security strategy
b. Reviewing the security strategy
c. Communicating the security strategy
d. Approving the security strategy
ANS: A
18. Which of the following is the MOST important in developing a security strategy? (8)
a. Creating positive business security environment
b. Understanding key business objectives
c. Having a reporting line to senior management
d. Allocating sufficient resources to information security
ANS: B
19. Which role is in the BEST position to review and confirm the appropriateness of a user access
list? (1-9)
a. Data owner
b. Information security manager
c. Domain administrator
d. Business manager
ANS: A
20. The MOST important reason to make sure there is good communication about security throughout
the organization is: (1-2)
a. To make security more palatable to resistant employees
b. Because people are the biggest risk
c. To inform business units about security strategy
d. To conform to regulations requiring all employees are informed about security
ANS: B
21. From an information security managers perspective, the MOST important factors regarding data
retention are: (1-8)
Test 1 (S1, 2014) Page 3/6

a. Business and regulatory requirements

b. Document integrity and destruction
c. Media availability and storage
d. Data confidentiality and encryption
ANS: A
22. The regulatory environment for most organizations mandates a variety of security-related
activities. It is MOST important that the information security manager: (1-3)
a. Rely on corporate counsel to advise which regulations are the most relevant
b. Stay current with all relevant regulations and request legal interpretation
c. Involve all impacted departments and treat regulations as just another risk
d. Ignore many of the regulations that have no teeth.
ANS: C
23. The PRIMARY benefit organizations derive from effective information security governance is: (17)
a. Ensuring appropriate regulatory compliance
b. Ensuring acceptable level of disruption
c. Prioritising allocation of remedial resources
d. Maximizing return on security investment
ANS: B
24. The MOST important consideration in developing security policies is that: (1-4)
a. They are based on a threat profile
b. They are complete and no detail is left out
c. Management signs off on them
d. All employees read and understand them.
ANS: A
25. The PRIMARY security objective in creating good procedures is: (1-5)
a. To make sure they work as intended
b. That they are unambiguous and meet the standards
c. That they be written in plain language and widely distributed
d. That compliance can be monitored
ANS: B
26. The assignment of roles and responsibilities will be MOST effective if: (1-6)
a. There is senior management support
b. The assignments are consistent with proficiencies
c. Roles are mapped to required competencies
d. Responsibilities are undertaken on a voluntary basis
ANS: B
27. The FIRST step in developing an information security management program is to: (9)
a. Identify business risks that affect the organization
b. Clarify organizational purpose for creating the program
c. Assign responsibility for the program
d. Assess adequacy of controls to mitigate business risks
ANS: B
28. Information security should be: (21)
a. Focussed on eliminating all risks
Test 1 (S1, 2014) Page 4/6

b. A balance between technical and business requirements

c. Driven by regulatory requirements
d. Defined be the board of directors
ANS: B
29. Information security projects should be prioritized on the basis of: (42)
a. Time required for implementation
b. Impact on the organization
c. Total cost for implementation
d. Mix of resources required
ANS: B
30. The FIRST step in establishing a security governance program is to: (50)
a. Conduct a risk assessment
b. Conduct a workshop for all end users
c. Prepare a security budget
d. Obtain high level sponsorship
ANS: D
31. Which of the following would be BEST indicator of an assets value to an organization? (191)
a. Risk assessment
b. Security audit
c. Certification
d. Classification
ANS: D
32. In controlling information leakage, management should FISRT establish: (192)
a. a data leak prevention program.
b. user awareness training.
c. an information classification process.
d. a network intrusion detection system (IDS)
ANS: C
33. After performing an asset classification, the information security manager is BEST able to
determine the: (193)
a. level of risk to information resources.
b. impact of compromise.
c. requirements for control strength.
d. annual loss expectancy (ALE)
ANS: B
34. Which of the following BEST supports the principle of security proportionality? (194)
a. Release management
b. Ownership schema
c. Resource dependency analysis
d. Asset classification
ANS: D
35. The overall objective of risk management is to: (2-1)
a. eliminate all vulnerabilities, if possible.
b. determine the best way to transfer risk.
c. manage risk to an acceptable level.
Test 1 (S1, 2014) Page 5/6

d. implement effective countermeasures.

ANS: C
36. The statement risk = value X vulnerability X threat indicates that: (2-2)
a. risk can be quantified using annul loss expectancy (ALE)
b. risk can be quantified, provided magnitude and frequency are computed.
c. the level of risk is greater when more threats meet more vulnerabilities.
d. without knowing value, risk cannot be calculated.
ANS: C
37. To address changes in risk, an effective risk management program should: (2-3)
a. ensure that continuous monitoring processes are in place.
b. establish proper security baseline for all information resources.
c. implement a complete data classification process.
d. change security policies on timely basis to address changing risk.
ANS: A
38. Information classification is important to properly manage risk PRIMARILY because: (2-4)
a. it ensures accountability for information resources as required by roles and responsibilities.
b. it is legal requirement under various regulations.
c. there is no other way to meet the requirements for availability, integrity and auditability.
d. it is used to identify the sensitivity and criticality of information to the organization.
ANS: D
39. Vulnerabilities discovered during an assessment should be: (2-5)
a. handled as a risk, even though there is no threat.
b. prioritized for redemption solely based on impact.
c. a basis for analysing the effectiveness of controls.
d. evaluate for threat, impact and cost of mitigation.
ANS: D
40. Of the following, retention of business records should be PRIMARILY based on: (201)
a. periodic vulnerability assessment.
b. regulatory and legal requirements.
c. device storage capacity and longevity.
d. past litigation.
ANS: B
41. The MOST important reason for conducting periodic risk assessment is because: (203)
a. risk assessment is not always precise.
b. security risks are subject to frequent changes.
c. reviews can optimize and reduce the cost of controls.
d. it demonstrates to senior management that the security function can add value.
ANS: B
42. In a business impact analysis, the value of an information system should be based on the overall
cost: (204)
a. of recovery.
b. to recreate.
c. if unavailable.
d. of emergency operation.
ANS: C
Test 1 (S1, 2014) Page 6/6

43. A risk assessment should TYPICALLY be conducted: (205)

a. once a year for each business process and sub-process.
b. every three to six months for critical business processes.
c. by external parties to maintain objectivity.
d. annually or whenever there is a significant change.
ANS: D
44. Which of the following risks would BEST be assessed using qualitative risk assessment
techniques? (206)
a. Theft of purchased software.
b. power outage lasting 24 hours.
c. permanent decline in customer confidence.
d. temporary loss of e-mail due to a virus attack.
ANS: C
45. Residual risk can be determined by: (2-7)
a. determining remaining vulnerabilities after countermeasures are in place.
b. a threat analysis.
c. a risk assessment.
d. transferring all risk.
ANS: C
46. Data owners are primarily responsible for creating risk mitigation strategies to address which of
the following areas: (2-8)
a. platform security.
b. entitlement changes.
c. intrusion detection.
d. antivirus controls.
ANS: B
47. Which of the following is the first step in selecting the appropriate controls to be implemented in
new business application? (2-10)
a. business impact analysis (BIA).
b. cost-benefit analysis.
c. return on investment (ROI)
d. risk assessment.
ANS: D
48. Which of the following groups would be in the BEST position to perform a risk analysis

for a business? (212)

a. external auditors
b. a peer group within a similar business
c. process owners
d. a specialized management consultant
ANS: C
49. A successful risk management program should lead to: (213)
a. optimization of risk reduction efforts against cost.
b. containment of losses to an annual budgeted amount.
c. identification and removal of all man-made threats.
Test 1 (S1, 2014) Page 7/6

d. elimination or transference of all organizational risks.

ANS: A
50. Which of the following risks would BEST be assessed using quantitative risk assessment
techniques? (214)
a. customer data stolen
b. an electrical power outage
c. a web site defaced by hackers
d. loss of the software development team
ANS: B
51. Define the term Information and give example.
ANS: Information is data with meanings and purpose e.g. sales reports, annual budget, project report
etc.
PTS: 2

52. Define the term Security and give example.

ANS: Security is the protection from or absence of danger e.g. securing data from leakage or from
destruction by putting appropriate controls.
PTS: 2

53. Define the term Strategy and give example.

ANS: Strategy is the plan of action to achieve the defined objectives that result in the desired
outcomes, utilizing available resources within the existing constraints.
PTS: 2

54. Define the term Risk and give example.

ANS: Risk can be defined as the possibility of suffering harm or loss i.e. risk of losing money is
developing new products.
PTS: 2

55. Define the term Governance.

ANS: Governance can be defined as set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risk is managed appropriately, and verifying that the enterprises resources
are used responsibly.
PTS: 2

56. Define the term metric. Explain your answer by giving examples.
ANS: A specific description of how a quantitative and periodic assessment of performance is to be
measured. A complete metric defines the unit used, frequency, ideal target value, the procedure to
carry out the measurement and the procedure for the interpretation of the assessment.
PTS: 2
57. Why is it important to integrate security governance into corporate governance?
ANS: The objective of security governance to help organizations achieve their business objectives.
PTS: 2
58. Define the term vulnerability. Explain your answer by giving examples.

Test 1 (S1, 2014) Page 8/6

ANS: A weakness in the design, implementation, operation or internal controls in a process that could
be exploited to violate system security.
PTS: 2
59. Define the term sensitivity. Explain your answer by giving examples.
ANS: A measure of the impact that improper disclosure of information may have on an organization
generally sensitivity cannot be assessed quantitatively. It can us usually be assessed only by
qualitative measures.
PTS: 2
60. Define the term impact. Explain your answer by giving examples.
ANS: Degree to which an incident or an event can affect the performance of a system or its part.
PTS: 2
61. What do you understand by asset classification? Explain your answer by giving examples.
ANS: A classification schema to define the various degrees of sensitivity and/or criticality of
information that is in the care, control or custody of an organization. It serves to prioritize protection
efforts and provides a basis for the degree of protection assigned to an information asset.
Asset classification facilitates effective business continuity and disaster recovery planning by
identifying the most critical and sensitive information.
PTS: 2
62. What do you understand by risk management? Explain your answer by giving examples.
ANS: Risk management is the systematic application of management policies, procedures and
practices to the tasks of identifying, analysing, evaluating, reporting, treating and monitoring risks.
Australian government official definition of risk management:
Risk management is a systematic process of making a realistic evaluation of risks to the
business. Before risks can be properly managed they need to be identified. Ask these
questions:
What can go wrong?
What can I do to prevent it?
What do I do if it happens?
Standards Australia, AS/NZS ISO 31000:2009, Risk management - Principles and guidelines.
PTS: 2
63. What do you understand by the term mitigation? Explain your answer by giving examples.
ANS: The management of risk through the use of counter measures and controls.
PTS: 2
64. Define the term compliance. Explain your answer by giving examples.
ANS: Compliance is a state in which someone or something is in accordance with established
guidelines, specifications, or legislation.
PTS: 2
65. Define the term quantitative. Explain your answer by giving examples.
ANS: When numerical values are assigned to both impact and likelihood. The quality of results
depends on the accuracy of the assigned values and the validity of the statistical models used.
PTS: 2

Test 1 (S1, 2014) Page 9/6