CISM REVIEW EXAM SCRIPT ALL QUESTIONS
AND ANSWERS SURE A+
✔✔What is a primary method for justifying investments in information security? -
✔✔development of a business case
✔✔Relationships with third parties may: - ✔✔Require the organization to comply with
the security standards of the third party
✔✔True or False? The organization does not have to worry about the impact of third
party relationships on the security program - ✔✔False
✔✔The role of an Information Systems Security Steering Committee is to: - ✔✔Provide
feedback from all areas of the organization
✔✔The most effective tool a security department has is: - ✔✔A security awareness
program
✔✔The role of Audit in relation to Information Security is: - ✔✔The validate the
effectiveness of the security program against established metrics
, ✔✔Who should be responsible for development of a risk management strategy? -
✔✔The Security Manager
✔✔The security requirements of each member of the organization should be
documented in: - ✔✔Their job descriptions
✔✔What could be the greatest challenge to implementing a new security strategy? -
✔✔Obtaining buy-in from employees
✔✔A disgruntled former employee is a: - ✔✔Threat
✔✔A bug or software flaw is a: - ✔✔Vulnerability
✔✔An audit log is an example of a: - ✔✔Detective control
✔✔A compensating control is used: - ✔✔When normal controls are not sufficient to
mitigate the trick
✔✔Encryption is an example of a: - ✔✔Countermeasure
✔✔The examination of risk factors would be an example of: - ✔✔Risk analysis
✔✔True/False: The only real risk mitigation technique is based on effective
implementation of technical controls. - ✔✔False
✔✔Should a risk assessment consider controls that are planned but not yet
implemented? - ✔✔Yes, because it would not be appropriate to recommend
implementing controls that are already planned
✔✔The main purpose of information classification is to: - ✔✔Ensure the effective,
appropriate protection of information
✔✔The value of information is based in part on: - ✔✔The fines imposed by regulators in
the event of a breach
✔✔The definition of an information security baseline is: - ✔✔The minimum level of
security mandated in the organization
✔✔The use of a baseline can help the organization to: - ✔✔Compare the current state
of security with the desired state
✔✔The purpose of a Business Impact Analysis (BIA) is to: - ✔✔Estimate the potential
impact on the business in case of a system failure
AND ANSWERS SURE A+
✔✔What is a primary method for justifying investments in information security? -
✔✔development of a business case
✔✔Relationships with third parties may: - ✔✔Require the organization to comply with
the security standards of the third party
✔✔True or False? The organization does not have to worry about the impact of third
party relationships on the security program - ✔✔False
✔✔The role of an Information Systems Security Steering Committee is to: - ✔✔Provide
feedback from all areas of the organization
✔✔The most effective tool a security department has is: - ✔✔A security awareness
program
✔✔The role of Audit in relation to Information Security is: - ✔✔The validate the
effectiveness of the security program against established metrics
, ✔✔Who should be responsible for development of a risk management strategy? -
✔✔The Security Manager
✔✔The security requirements of each member of the organization should be
documented in: - ✔✔Their job descriptions
✔✔What could be the greatest challenge to implementing a new security strategy? -
✔✔Obtaining buy-in from employees
✔✔A disgruntled former employee is a: - ✔✔Threat
✔✔A bug or software flaw is a: - ✔✔Vulnerability
✔✔An audit log is an example of a: - ✔✔Detective control
✔✔A compensating control is used: - ✔✔When normal controls are not sufficient to
mitigate the trick
✔✔Encryption is an example of a: - ✔✔Countermeasure
✔✔The examination of risk factors would be an example of: - ✔✔Risk analysis
✔✔True/False: The only real risk mitigation technique is based on effective
implementation of technical controls. - ✔✔False
✔✔Should a risk assessment consider controls that are planned but not yet
implemented? - ✔✔Yes, because it would not be appropriate to recommend
implementing controls that are already planned
✔✔The main purpose of information classification is to: - ✔✔Ensure the effective,
appropriate protection of information
✔✔The value of information is based in part on: - ✔✔The fines imposed by regulators in
the event of a breach
✔✔The definition of an information security baseline is: - ✔✔The minimum level of
security mandated in the organization
✔✔The use of a baseline can help the organization to: - ✔✔Compare the current state
of security with the desired state
✔✔The purpose of a Business Impact Analysis (BIA) is to: - ✔✔Estimate the potential
impact on the business in case of a system failure
