CISM Domain 1 Exam Questions &
Answers (Grade A+)
Which of the following is the MOST effective way to ensure that
noncompliance to information security standards is resolved?
a. Periodic audits of noncompliant areas
b. An ongoing vulnerability scanning program
c. Annual security awareness training
d. Regular reports to the audit committee - D is the correct answer.
Justification
Periodic audits can be effective but only when combined with
reporting.
Vulnerability scanning has little to do with noncompliance with
standards.
Training can increase management's awareness regarding
information security, but awareness training is generally not as
compelling to management as having individual names highlighted
on a compliance report.
Reporting noncompliance to the audit committee is the most
effective way to have enforcement for concerned parties to take the
proper action in order to comply.
What activity should the information security manager perform
FIRST after finding that compliance with a set of standards is weak?
a. Initiate the exception process.
,CISM Domain 1 Exam Questions &
Answers (Grade A+)
b. Modify policy to address the risk.
c. Increase compliance enforcement.
d. Perform a risk assessment. - D is the correct answer.
Justification
The exception process can be used after assessing the
noncompliance risk and determining whether compensating
controls are required.
Modifying policy is not necessary unless there is no applicable
standard and policy.
It is not appropriate to increase compliance enforcement until the
information security manager has determined the extent of the risk
posed by weak compliance.
The first action after finding noncompliance with particular
standards should be to determine the risk to the enterprise and the
potential impact (for both compliance and security risk).
Management requests that an information security manager
determine which regulations regarding disclosure, reporting and
privacy are the most important for the enterprise to address. The
recommendations for addressing these legal and regulatory
requirements will be MOST useful if based on which of the
following choices?
,CISM Domain 1 Exam Questions &
Answers (Grade A+)
a. The extent of enforcement actions
b. The probability and consequences
c. The sanctions for noncompliance
d. The amount of personal liability - B is the correct answer.
Justification
The extent of enforcement is a measure of probability. Without
knowing the scope of consequences, probability cannot be viewed
in context.
Legal and regulatory requirements should be treated as any other
risk to the enterprise, calculated as the probability of enforcement
and the magnitude of possible sanctions (impact or consequences).
Sanctions or impact must be considered in the context of the
enforcement mechanisms. If sanctions have less probability of
being implemented due to lax enforcement, their severity poses
lower risk to the enterprise than if they are widely enforced.
Except in extreme cases of fraud or other criminal activity, liability
for regulatory sanctions generally lies with senior management and
the board of directors. It is not a driving factor in the evaluation of
regulatory requirements.
, CISM Domain 1 Exam Questions &
Answers (Grade A+)
How should an information security manager balance the
potentially conflicting requirements of an international enterprise's
security standards with local regulation?
a .Give organizational standards preference over local regulations.
b. Follow local regulations only.
c. Make the enterprise aware of those standards where local
regulations cause conflicts.
d .Negotiate a local version of the enterprise standards. - D is the
correct answer.
Justification
Organizational standards must be subordinate to local regulations.
It would be incorrect to follow local regulations only, because there
must be recognition of organizational requirements.
Making an enterprise aware of standards is a sensible step but is
not a complete solution.
Negotiating a local version of the enterprise's standards is the most
effective compromise in this situation. Regulations cannot be
changed by the enterprise, and it must achieve compliance, making
it necessary to develop a local version of its standards in
consultation with the principal office.
Answers (Grade A+)
Which of the following is the MOST effective way to ensure that
noncompliance to information security standards is resolved?
a. Periodic audits of noncompliant areas
b. An ongoing vulnerability scanning program
c. Annual security awareness training
d. Regular reports to the audit committee - D is the correct answer.
Justification
Periodic audits can be effective but only when combined with
reporting.
Vulnerability scanning has little to do with noncompliance with
standards.
Training can increase management's awareness regarding
information security, but awareness training is generally not as
compelling to management as having individual names highlighted
on a compliance report.
Reporting noncompliance to the audit committee is the most
effective way to have enforcement for concerned parties to take the
proper action in order to comply.
What activity should the information security manager perform
FIRST after finding that compliance with a set of standards is weak?
a. Initiate the exception process.
,CISM Domain 1 Exam Questions &
Answers (Grade A+)
b. Modify policy to address the risk.
c. Increase compliance enforcement.
d. Perform a risk assessment. - D is the correct answer.
Justification
The exception process can be used after assessing the
noncompliance risk and determining whether compensating
controls are required.
Modifying policy is not necessary unless there is no applicable
standard and policy.
It is not appropriate to increase compliance enforcement until the
information security manager has determined the extent of the risk
posed by weak compliance.
The first action after finding noncompliance with particular
standards should be to determine the risk to the enterprise and the
potential impact (for both compliance and security risk).
Management requests that an information security manager
determine which regulations regarding disclosure, reporting and
privacy are the most important for the enterprise to address. The
recommendations for addressing these legal and regulatory
requirements will be MOST useful if based on which of the
following choices?
,CISM Domain 1 Exam Questions &
Answers (Grade A+)
a. The extent of enforcement actions
b. The probability and consequences
c. The sanctions for noncompliance
d. The amount of personal liability - B is the correct answer.
Justification
The extent of enforcement is a measure of probability. Without
knowing the scope of consequences, probability cannot be viewed
in context.
Legal and regulatory requirements should be treated as any other
risk to the enterprise, calculated as the probability of enforcement
and the magnitude of possible sanctions (impact or consequences).
Sanctions or impact must be considered in the context of the
enforcement mechanisms. If sanctions have less probability of
being implemented due to lax enforcement, their severity poses
lower risk to the enterprise than if they are widely enforced.
Except in extreme cases of fraud or other criminal activity, liability
for regulatory sanctions generally lies with senior management and
the board of directors. It is not a driving factor in the evaluation of
regulatory requirements.
, CISM Domain 1 Exam Questions &
Answers (Grade A+)
How should an information security manager balance the
potentially conflicting requirements of an international enterprise's
security standards with local regulation?
a .Give organizational standards preference over local regulations.
b. Follow local regulations only.
c. Make the enterprise aware of those standards where local
regulations cause conflicts.
d .Negotiate a local version of the enterprise standards. - D is the
correct answer.
Justification
Organizational standards must be subordinate to local regulations.
It would be incorrect to follow local regulations only, because there
must be recognition of organizational requirements.
Making an enterprise aware of standards is a sensible step but is
not a complete solution.
Negotiating a local version of the enterprise's standards is the most
effective compromise in this situation. Regulations cannot be
changed by the enterprise, and it must achieve compliance, making
it necessary to develop a local version of its standards in
consultation with the principal office.
