Information Security Program Development and Management for CISM

Sample Practice Questions

1. Question 1

   When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?
   1. A. Access control management
   2. B. Change management
   3. C. Configuration management
   4. D. Risk management
   Explanation

   The correct answer is: D. Risk management.

   When management changes the enterprise business strategy, risk management should be used to evaluate existing information security controls and select new ones because the strategy change reshapes the risk picture that the controls operate against. CISM treats risk management as the principal control-selection process when business context changes. Access control management addresses one specific control category. Change management addresses the process of making changes but is not the substantive evaluation framework. Configuration management addresses configuration state; risk management is the substantive integrating evaluation process for control selection.

2. Question 2

   What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data?
   1. A. Cancel the outsourcing contract.
   2. B. Transfer the risk to the provider.
   3. C. Create an addendum to the existing contract.
   4. D. Initiate an external audit of the provider's data center.
   Explanation

   The correct answer is: C. Create an addendum to the existing contract..

   The suggested answer is C. To address the issue of the contract not clearly identifying requirements for safeguarding critical data, the best recommendation is to create an addendum to the existing contract. This allows the organization to update and clarify the terms related to the security of critical data without having to cancel the contract or transfer all the risk to the provider. By creating an addendum, the organization can ensure that the necessary security requirements are explicitly stated, thereby protecting its critical data while maintaining the existing business relationship.

3. Question 3

   An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation?
   1. A. Controls to be monitored
   2. B. Reporting capabilities
   3. C. The contract with the SIEM vendor
   4. D. Available technical support
   Explanation

   The correct answer is: A. Controls to be monitored.

   The suggested answer is A. Before implementing a Security Information and Event Management (SIEM) tool, it is most important to consider the controls to be monitored. This is because the primary function of a SIEM tool is to collect, analyze, and respond to log data from various sources within the organization. Knowing which controls and events need to be monitored helps ensure the SIEM is accurately configured to detect and respond to relevant security incidents. Establishing these controls beforehand allows the organization to tailor the SIEM system to meet specific security needs and regulatory requirements, ensuring effective and meaningful security monitoring. Other factors like reporting capabilities, vendor contracts, and technical support, while important, are secondary considerations that should follow once the monitoring requirements are clearly defined.

4. Question 4

   Which of the following is the BEST method to protect consumer private information for an online public website?
   1. A. Apply strong authentication to online accounts
   2. B. Encrypt consumer data in transit and at rest
   3. C. Use secure encrypted transport layer
   4. D. Apply a masking policy to the consumer data
   Explanation

   The correct answer is: B. Encrypt consumer data in transit and at rest.

   The best method to protect consumer private information for an online public website is to encrypt consumer data in transit and at rest because comprehensive encryption protects the data through every state where it might be exposed. CISM treats end-to-end encryption as the principal data-protection control. Applying strong authentication to online accounts addresses access but does not protect the data itself. Using a secure encrypted transport layer addresses one specific state (transit) but not at-rest data. Applying a masking policy to consumer data addresses display rather than full storage and transmission; the in-transit-and-at-rest encryption is the substantive protection.

5. Question 5

   Which of the following is the MOST important consideration in a bring your own device (BYOD) program to protect company data in the event of a loss?
   1. A. The ability to remotely locate devices
   2. B. The ability to centrally manage devices
   3. C. The ability to restrict unapproved applications
   4. D. The ability to classify types of devices
   Explanation

   The correct answer is: A. The ability to remotely locate devices.

   The most important consideration in a BYOD program to protect company data in the event of a loss is the ability to remotely locate devices because location capability enables both physical recovery and triggering of remote wipe. CISM treats remote location as the principal BYOD loss-mitigation capability. The ability to centrally manage devices addresses ongoing operations but the specific loss-event capability is location. The ability to restrict unapproved applications addresses ongoing exposure. The ability to classify types of devices addresses inventory rather than loss response; remote location is the substantive loss-mitigation capability.

Other CISM domains

• Information Risk Management (252 questions)
• Information Security Governance (290 questions)
• Information Security Incident Management (230 questions)