CISM Exam Questions and Answers: Information Security Management, Exams of Information Security and Markup Languages

A compilation of certified information security manager (cism) exam questions and answers, covering key concepts in information security management. It includes topics such as alignment with organizational goals, senior management support, core security principles (confidentiality, integrity, availability), threat identification, personnel security, intrusion prevention systems, security architecture, risk management, and compliance. The questions address various aspects of security governance, risk assessment, control implementation, and incident response, making it a valuable resource for exam preparation and understanding information security best practices. It also covers topics such as cryptography, access control, disaster recovery, and outsourcing security.

Typology: Exams

2024/2025

Available from 08/31/2025

Prof.Steve
Prof.Steve 🇺🇸

2

(1)

880 documents

1 / 16

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1 /
CISM CERTIFIED INFORMATION SECURITY
MANAGER QUESTIONS AND ANSWERS 100%
CORRECT
1.Alignment with the goals and objectives of the organization:
The foundation of an information security program is:
2.Senior Management Support: The key factor in a successful
information se- curity program is
3.Confidentiality, Integrity, and Availability: The core principles
of an informa- tion security program are
4.Any event or action that could cause harm to the
organization: What is a threat?
5.Tru: Threats can be either intentional or accidental? True or False
6.Pre-employment checks: Personnel security requires trained
personnel to manage systems and networks. At what stage does
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download CISM Exam Questions and Answers: Information Security Management and more Exams Information Security and Markup Languages in PDF only on Docsity!

CISM CERTIFIED INFORMATION SECURITY

MANAGER QUESTIONS AND ANSWERS 100%

CORRECT

  1. Alignment with the goals and objectives of the organization: The foundation of an information security program is:
  2. Senior Management Support: The key factor in a successful information se- curity program is
  3. Confidentiality, Integrity, and Availability: The core principles of an informa- tion security program are
  4. Any event or action that could cause harm to the organization: What is a threat?
  5. Tru: Threats can be either intentional or accidental? True or False
  6. Pre-employment checks: Personnel security requires trained personnel to manage systems and networks. At what stage does

personnel security begin?

  1. Upper management: Who plays the most important role in information securi- ty?
  2. IPS can block suspicious activity in real time: What is the advantage of an IPS intrusion prevention system over an IDS intrusion detection system?
  3. True: Physical security is an important part of an information security program. True or False?
  4. an enterprise = wide approach to security architecture: The Sherwood Applied Business Security Architecture SABSA is primarily concerned with
  5. Uniform enforcement of security policies: A centralized approach to secu- rity has the primary advantage of
  6. More adjustable to local laws and requirements: The greatest advantage to a decentralized approach to security is:
  7. Identify and protect information assets: A primary objective of an informa- tion security strategy is to:
  8. Determine the desired state of security: The first step in
  1. development of a business case: What is a primary method for justifying investments in information security?
  2. Require the organization to comply with the security standards of the third party: Relationships with third parties may:
  3. False: True or False? The organization does not have to worry about the impact of third party relationships on the security program
  4. Provide feedback from all areas of the organization: The role of an Infor- mation Systems Security Steering Committee is to:
  5. A security awareness program: The most effective tool a security depart- ment has is:
  6. To validate the effectiveness of the security program against established metrics: The role of Audit in relation to Information Security is:
  7. The Security Manager: Who should be responsible for development of a risk management strategy?
  8. Their job descriptions: The security requirements of each

member of the organization should be documented in:

  1. Obtaining buy-in from employees: What could be the greatest challenge to implementing a new security strategy?
  2. Threat: A disgruntled former employee is a:
  3. Vulnerability: A bug or software flaw is a:
  4. Detective control: An audit log is an example of a:
  5. When normal controls are not sufficient to mitigate the trick: A compen- sating control is used:
  6. Countermeasure: Encryption is an example of a:
  7. Risk analysis: The examination of risk factors would be an example of:
  8. False: True/False: The only real risk mitigation technique is based on effective implementation of technical controls.
  9. Yes, because it would not be appropriate to recommend implementing controls that are already planned: Should a risk assessment consider controls that are planned but not yet implemented?
  1. The fines imposed by regulators in the event of a breach: The value of information is based in part on:
  2. The minimum level of security mandated in the organization: The defini- tion of an information security baseline is:
  3. Compare the current state of security with the desired state: The use of a baseline can help the organization to: 39. Estimate the potential impact on the business in case of a system failure- : The purpose of a Business Impact Analysis (BIA) is to: 40. determine the priorities for recovery of business processes and systems- : The ultimate goal of BIA is to: 41. In areas where the cost of the control is justified by the benefit obtained- : New controls should be implemented as a part of the risk mitigation strategy:
  4. The purchase of insurance to cover some of the losses

associated with an incident.: An example of risk transference as a risk mitigation option is:

  1. Assist in the management of a complex project by breaking it into indi- vidual steps: The purpose of a life cycle as used in the Systems Development Life Cycle SDLC is to:
  2. At each stage starting at project initiation: At which stage of a project should risk management be performed?
  3. Non-disclosure agreement NDA: When working with an outside party that may include access to sensitive information, each party should require a:
  4. Encryption of large amounts of data: Symmetric key algorithms are best used for:
  5. confidentiality: An benefit provided by a symmetric algorithm is:
  6. Digital signatures: Asymmetric algorithms are often used in:
  7. Proving integrity of a message: The primary benefit of a hash function is:
  8. John corresponding private key: Which key would open a message encrypt- ed with John's public key?
  1. Password based authentication: A hash is often used for:
  2. The subject: The entity requesting access in an access control system is often known as:
  3. Permit authorized persons appropriate levels of access: Access control is a means to:
  4. Physical controls: A surveillance camera is an access control based on:
  5. Gateways and individual desktops: Anti-virus systems should be deployed on:
  6. Enforce policies at a desktop level: The use of a policy compliant system may enable an organization to:
  7. Administrative controls: An information classification policy is what form of control?
  8. Hashing: Which of the following is a one-way function?
  9. True: True/False: A Disaster Recovery Plan is a part of an Information Security Framework
  1. The development of metrics to measure program performance: An impor- tant element of an information security program is:
  2. Giving both internal and external users unique identification: Identity management applies to:
  3. Least privilege: The practice of only granting a user the lowest level required is:
  4. Discourage inappropriate behavior: A deterrent control can be used to:
  5. A fence: An example of a preventative control is:
  6. That it may implement a configuration change automatically without review: A disadvantage of an automated control may be:
  7. a person that takes ownership of each activity: The implementation of a security program requires:
  8. NNTPSocial engineering: The manipulation of staff to perform unauthorized actions is known as:
  9. business assurance: Audit is a form of:
  1. Interviews with senior management: What is the best way to understand business priorities?
  2. Rollback the implementation if possible: In case the implementation of an IT project fails, what is the next step?
  3. Determine the disparity between current and desired state: A gap analysis can be used to:
  4. Procedures, standards and baselines: Every policy should be backed up through the use of:
  5. Certification: The testing and evaluation of the security of a system made in support of the decision to implement the system is known as
  6. Accreditation: Ensuring that a system is not implemented until it has been formally approved by a senior manager is part of:
  7. Training: Teaching staff how to use a new security tool is known as:
  8. Change control: To ensure the quality and adherence to standards for a modification to a system the organization

enforces:

  1. Confidentiality: One of the most important considerations when two organi- zations are considering a merger is?
  2. Service level agreements: What document is used to set out the expectations for vendors or suppliers?
  3. Relevant: Good information security metrics are clear, timely and?
  4. Find weaknesses in the system: A vulnerability test is intended to:
  5. True: True/False: Penetration testing and vulnerability assessments can be either internal or external.
  6. False: True/False: Gathering data to evaluate the security program cannot be done through interviews since the answers are too subjective.
  7. Key performance indicators KPIs: Metrics to evaluate the effectiveness of system controls may be based on:
  8. knowledge, ownership, biometric: The three authentication factors are:
  9. PII: Sensitive information about a person is called:
  1. The removal of sensitive information: A security risk associated with dispos- al of any storage device is:
  2. Ensure all data is removed or destroyed by the outsource service provider: When an outsourcing contract expires the organization must: