CISM Practice Test

Which of the following BEST provides an information security manager with sufficient
assurance that a service provider complies with the organization’s information security
requirements?

A.

The ability to audit the third-party supplier's IT systems and processes

B.

An independent review report indicating compliance with industry standards

C.

Third-party security control self-assessment results

D.

Alive demonstration of the third-party supplier's security capabilities

An organization's operations have been significantly impacted by a cyber
attack resulting in data loss. Once the attack has been contained, what should the security
team do NEXT?

A.

Implement compensating controls

B.

Update the incident response plan.

C.

Conduct a lessons learned exercise

D.

Perform a root cause analysis

A new regulatory requirement affecting an organization's information security program is
released. Which of the following should be the information security manager's FIRST
course of action?

A.

Conduct benchmarking

B.

Determine the disruption to the business.

C.

Perform a gap analysis

D.

Notify the legal department.

When drafting the corporate privacy statement for a public web site, which of the following
MUST be included?

A.

Information encryption requirements

B.

Access control requirements

C.

Limited liability clause

D.

Explanation of information usage

Which of the following is MOST likely to be a component of a security incident escalation
policy?

A.

Sample scripts and press releases for statements to media

B.

Names and telephone numbers of key management personnel

C.

Decision criteria for when to alert various groups

D.

A severity-ranking mechanism tied only to the duration of the outage