Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CISM
Free trial
Verified
Question 176
Which of the following metrics BEST demonstrates the effectiveness of an organization's security awareness program?
- A: Percentage of employee computers and devices infected with malware
- B: Percentage of employees who regularly attend security training
- C: Number of security incidents reported to the help desk
- D: Number of phishing emails viewed by end users
Question 177
Who should decide whether a specific control should be changed once risk is approved for mitigation?
- A: Risk owner
- B: Data owner
- C: Control owner
- D: Process owner
Question 178
When determining key risk indicators (KRIs) for use in an information security program it is MOST important to select:
- A: KRIs that track both short-term and long-term performance.
- B: KRIs that align with business processes.
- C: KRIs that are quantifiable.
- D: as many KRIs as possible to catch risk events from the broadest areas.
Question 179
What is the PRIMARY objective of performing a vulnerability assessment following a business system update?
- A: Improve the change control process.
- B: Update the threat landscape.
- C: Determine operational losses.
- D: Review the effectiveness of controls.
Question 180
Senior management has requested a budget cut for the information security program in the coming fiscal year. Which of the following should be the information security manager's FIRST course of action?
- A: Analyze the impact to the information security program.
- B: Advise business unit heads of potential changes to the information security program.
- C: Evaluate cost savings within existing implementations.
- D: Re-prioritize information security implementation and operations.
Question 181
What is the MOST important consideration when establishing metrics for reporting to the information security strategy committee?
- A: Benchmarking the expected value of the metrics against industry standards
- B: Aligning the metrics with the organizational culture
- C: Agreeing on baseline values for the metrics
- D: Developing a dashboard for communicating the metrics
Question 182
Which of the following presents the GREATEST challenge when assessing the impact of emerging risk?
- A: Outdated risk management strategy
- B: Insufficient data related to the emerging risk
- C: Complexity of the emerging risk
- D: Lack of resources to perform risk assessments
Question 183
To effectively manage an organization’s information security risk, it is MOST important to:
- A: establish and communicate risk tolerance.
- B: benchmark risk scenarios against peer organizations.
- C: assign risk management responsibility to an experienced consultant.
- D: periodically identify and correct new systems vulnerabilities.
Question 184
Which of the following is the MOST useful input for an information security manager when updating the organization’s security policy?
- A: Security team capabilities
- B: Risk appetite
- C: Vulnerability scan
- D: Industry best practices
Question 185
The MOST effective way for an information security manager to secure senior management support for the information security strategy is by:
- A: presenting industry-specific information security best practices.
- B: determining cost effective information security controls.
- C: educating management on information security program needs.
- D: developing reports showing current threats to the organization.
Question 186
When engaging an external party to perform a penetration test, it is MOST important to:
- A: provide an updated asset inventory.
- B: notify employees of the testing.
- C: define the project scope.
- D: provide network documentation.
Question 187
Which of the following is the MOST effective way to convey information security responsibilities across an organization?
- A: Implementing security awareness programs
- B: Defining information security responsibilities in the security policy
- C: Developing a skills matrix
- D: Documenting information security responsibilities within job descriptions
Question 188
A financial institution is expanding to international jurisdictions and is mindful of protecting customer information. Which of the following should be of GREATEST concern?
- A: Ability to monitor and enforce security controls in multiple jurisdictions
- B: Global payment card industry regulations
- C: Privacy laws and regulations for each country in which the organization operates
- D: Information security resources available in each country in which the organization operates
Question 189
When evaluating cloud storage solutions, the FIRST consideration should be:
- A: how the organization's sensitive data will be transferred.
- B: the service level agreement (SLA) for encryption keys.
- C: the volume of data to be stored in the cloud.
- D: alignment with the organization's data classification policy.
Question 190
Which of the following should an information security manager perform FIRST when an organization's residual risk has increased?
- A: Implement security measures to reduce the risk.
- B: Assess the business impact.
- C: Transfer the risk to third parties.
- D: Communicate the information to senior management.
Question 191
Which of the following is the GREATEST benefit resulting from the introduction of data security standards for payment cards?
- A: It helps achieve the holistic protection of information assets in the industry.
- B: It deters hackers from committing crimes related to card payments.
- C: It enables a wider range of more sophisticated payment methods.
- D: It optimizes budget allocation for cybersecurity in each organization.
Question 192
Which of the following should an information security manager establish FIRST to ensure security-related activities are adequately monitored?
- A: Regular reviews of system logs
- B: Accountability for security functions
- C: Procedures for security assessments
- D: Schedules for internal audits
Question 193
Which of the following is the BEST approach for data owners to use when defining access privileges for users?
- A: Implement an identity and access management (IDM) tool.
- B: Adopt user account settings recommended by the vendor.
- C: Perform a risk assessment of the users' access privileges.
- D: Define access privileges based on user roles.
Question 194
Which of the following is the BEST control to protect customer personal information that is stored in the cloud?
- A: Strong encryption methods
- B: Appropriate data anonymization
- C: Strong physical access controls
- D: Timely deletion of digital records
Question 195
Which of the following is MOST important to include in an enterprise information security policy?
- A: Acceptable use
- B: Security objectives
- C: Security metrics
- D: Audit trail review requirements
Question 196
An information security manager wants to upgrade an organization's workstations to a new operating system version. Which of the following would be MOST helpful to gain senior management support for the upgrade?
- A: The results of user surveys indicating issues with the current operating system
- B: A list of the latest security features in the new operating system
- C: A summary of performance improvements in the new operating system
- D: An assessment of the current operating system based on risk
Question 197
Which of the following is MOST important to define when creating information security management metrics?
- A: Budget
- B: Objectives
- C: Policy
- D: Benchmarks
Question 198
A PRIMARY benefit of adopting an information security framework is that it provides:
- A: standardized security controls.
- B: common exploitability indices.
- C: credible emerging threat intelligence.
- D: security and vulnerability reporting guidelines.
Question 199
It is MOST important that risk owners understand they are accountable for:
- A: collaborating with stakeholders to evaluate the effectiveness of controls associated with the risk.
- B: reporting risk metrics and control compliance status to the information security manager.
- C: escalating control deficiencies associated with the risk to the steering committee for decision making.
- D: overseeing and monitoring the effectiveness of controls associated with the risk.
Question 200
Which of the following is MOST important to include in security incident escalation procedures?
- A: Recovery procedures
- B: Containment procedures
- C: Key objectives of the security program
- D: Notification criteria
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!