CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Which of the following would help to change an organization's
security culture?
Develop procedures to enforce the information security policy.
Obtain strong management support.
Implement strict technical security controls.
Periodically audit compliance with the information security policy. -
B is the correct answer.
Justification
Procedures will support an information security policy, but this is
not likely to have much impact on the culture of the organization.
Because culture in an organization is a reflection of senior
management whether intentional or accidental, only management
support and pressure will help to change an organization's culture.
,CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Technical controls will provide more security to an information
system and staff; however, this does not mean the culture will be
changed.
Auditing will help to ensure the effectiveness of the information
security policy; however, auditing is not effective in changing the
culture of the company.
Domain
Which of the following BEST indicates senior management
commitment toward supporting information security?
Assessment of risk to the assets
Approval of risk management methodology
Review of inherent risk to information assets
,CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Review of residual risk for information assets - B is the correct
answer.
Justification
An assessment of risk to assets by itself does not indicate
commitment and support.
Management sign-off on risk management methodology indicates
support and commitment to effective information security.
A review of inherent risk is not an indication of commitment and
support.
Reviewing residual risk may be a step in gaining commitment and
support but by itself is not sufficient.
Who can BEST approve plans to implement an information security
governance framework?
, CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Internal auditor
Information security management
Steering committee
Infrastructure management - C is the correct answer.
Justification
An internal auditor is secondary to the authority and influence of
senior management.
Information security management should not have the authority to
approve the security governance framework.
Senior management that is part of the security steering committee
is in the best position to approve plans to implement an
information security governance framework.
Responsibilities Exam Questions &
Answers (Grade A+)
Which of the following would help to change an organization's
security culture?
Develop procedures to enforce the information security policy.
Obtain strong management support.
Implement strict technical security controls.
Periodically audit compliance with the information security policy. -
B is the correct answer.
Justification
Procedures will support an information security policy, but this is
not likely to have much impact on the culture of the organization.
Because culture in an organization is a reflection of senior
management whether intentional or accidental, only management
support and pressure will help to change an organization's culture.
,CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Technical controls will provide more security to an information
system and staff; however, this does not mean the culture will be
changed.
Auditing will help to ensure the effectiveness of the information
security policy; however, auditing is not effective in changing the
culture of the company.
Domain
Which of the following BEST indicates senior management
commitment toward supporting information security?
Assessment of risk to the assets
Approval of risk management methodology
Review of inherent risk to information assets
,CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Review of residual risk for information assets - B is the correct
answer.
Justification
An assessment of risk to assets by itself does not indicate
commitment and support.
Management sign-off on risk management methodology indicates
support and commitment to effective information security.
A review of inherent risk is not an indication of commitment and
support.
Reviewing residual risk may be a step in gaining commitment and
support but by itself is not sufficient.
Who can BEST approve plans to implement an information security
governance framework?
, CISM - Risk Management Roles &
Responsibilities Exam Questions &
Answers (Grade A+)
Internal auditor
Information security management
Steering committee
Infrastructure management - C is the correct answer.
Justification
An internal auditor is secondary to the authority and influence of
senior management.
Information security management should not have the authority to
approve the security governance framework.
Senior management that is part of the security steering committee
is in the best position to approve plans to implement an
information security governance framework.
