CISM Practice Test

When designing security controls, it is MOST important to:

A.

apply a risk-based approach

B.

evaluate the costs associated with the controls

C.

focus on preventive controls

D.

apply controls to confidential information

Which of the following would MOST effectively communicate the benefits of an information
security program to executive management?

A.

Industry benchmarks

B.

Key performance indicators (KPIs)

C.

Threat models

D.

Key risk indicators (KRIs)

Which of the following would BEST enable effective decision-making?

A.

Formalized acceptance of risk analysis by business management

B.

A consistent process to analyze new and historical information risk

C.

A universally applied list of generic threats, impacts, and vulnerabilities

D.

Annualized loss estimates determined from past security events

The authorization to transfer the handling of an internal security incident
to a third-party support provider is PRIMARILY defined by the:

A.

disaster recovery plan (DRP).

B.

information security manager

C.

chain of custody.

D.

escalation procedures

To set security expectations across the enterprise, it is MOST important
for the information security policy to be regularly reviewed and endorsed by:

A.

senior management

B.

security administrators

C.

the chief information security officer (CISQ).

D.

the IT steering committee.