CISM domain 2 tests Q/Answers
An information security manager performing a security review determines that
compliance with access control policies to the data center is inconsistent across
employees. The FIRST step to address this issue should be to: - assess the risk of
noncompliance.
The information security manager should treat regulatory compliance requirements as: -
just another risk.
Management decided that the organization will not achieve compliance with a recently
issued set of regulations. Which ofthe following is the MOST likely reason for the
decision? - the cost of compliance exceeds the cost of possible sanctions.
The value of information assets is BEST determined by: - individual business managers
It is important to classify and determine relative sensitivity of assets to ensure that: -
countermeasures are proportional to risk.
When performing an information risk analysis, an information security manager should
FIRST: - take an asset inventory.
The PRIMARY benefit of performing an information asset classification is to: - identify
controls commensurate (съизмерими) to risk.
Which program element should be implemented FIRST in asset classification and
control? - valuation
When performing a risk assessment, the MOST important consideration is that: - assets
have been identified and appropriately valued.
The MAIN reason why asset classification is important to a successful information
security program is because classification determines: - the appropriate level of
protection to the asset.
Who is responsible for ensuring that information is classified? - data owner
The PRIMARY reason for assigning classes of sensitivity and criticality to information
resources is to provide a basis for: - defining the level of access controls.
Which of the following would govern which information assets need more protection
than other information assets? - data classification
Which of the following is the MOST important to keep in mind when assessing the value
of information? - the potential financial loss
, The information classification scheme should: - consider possible impact of a security
breach.
After performing an asset classification, the information security manager is BEST able
to determine the: - impact of a compromise.
In controlling information leakage, management should FIRST establish: - an
information classification process.
Which of the following BEST supports the principle of security proportionality? - asset
classification
The value of tangible assets can be BEST determined by which of the following? - the
market value minus the book value
Which of the following is MOST important to achieve proportionality in the protection of
enterprise information systems? - asset classification
The MOST important reason for conducting periodic risk assessment is because: -
security risks are subject to frequent change.
In a business impact analysis, the value of an information system should be based on
the overall cost: - if unavailable.
Which of the following risks would BEST be assessed using qualitative risk assessment
techniques? - permanent decline in customer confidence
Which of the following is the PRIMARY reason for implementing a risk management
program? - is a necessary part of management's due diligence
The impact of losing frame relay network connectivity for 18-24 hours should be
calculated using the: - financial losses incurred by affected business units.
In assessing risk, it is MOST essential to: - consider both monetary value and likelihood
of loss.
The PRIMARY goal of a corporate risk management program is to ensure that an
organization's: - stated objectives are achievable.
Before conducting a formal risk assessment of an organization's information resources,
an information security manager should FIRST: - map the major threats to business
objectives.
Which of the following is MOST essential for a risk management program to be
effective? - detection of new risk
An information security manager performing a security review determines that
compliance with access control policies to the data center is inconsistent across
employees. The FIRST step to address this issue should be to: - assess the risk of
noncompliance.
The information security manager should treat regulatory compliance requirements as: -
just another risk.
Management decided that the organization will not achieve compliance with a recently
issued set of regulations. Which ofthe following is the MOST likely reason for the
decision? - the cost of compliance exceeds the cost of possible sanctions.
The value of information assets is BEST determined by: - individual business managers
It is important to classify and determine relative sensitivity of assets to ensure that: -
countermeasures are proportional to risk.
When performing an information risk analysis, an information security manager should
FIRST: - take an asset inventory.
The PRIMARY benefit of performing an information asset classification is to: - identify
controls commensurate (съизмерими) to risk.
Which program element should be implemented FIRST in asset classification and
control? - valuation
When performing a risk assessment, the MOST important consideration is that: - assets
have been identified and appropriately valued.
The MAIN reason why asset classification is important to a successful information
security program is because classification determines: - the appropriate level of
protection to the asset.
Who is responsible for ensuring that information is classified? - data owner
The PRIMARY reason for assigning classes of sensitivity and criticality to information
resources is to provide a basis for: - defining the level of access controls.
Which of the following would govern which information assets need more protection
than other information assets? - data classification
Which of the following is the MOST important to keep in mind when assessing the value
of information? - the potential financial loss
, The information classification scheme should: - consider possible impact of a security
breach.
After performing an asset classification, the information security manager is BEST able
to determine the: - impact of a compromise.
In controlling information leakage, management should FIRST establish: - an
information classification process.
Which of the following BEST supports the principle of security proportionality? - asset
classification
The value of tangible assets can be BEST determined by which of the following? - the
market value minus the book value
Which of the following is MOST important to achieve proportionality in the protection of
enterprise information systems? - asset classification
The MOST important reason for conducting periodic risk assessment is because: -
security risks are subject to frequent change.
In a business impact analysis, the value of an information system should be based on
the overall cost: - if unavailable.
Which of the following risks would BEST be assessed using qualitative risk assessment
techniques? - permanent decline in customer confidence
Which of the following is the PRIMARY reason for implementing a risk management
program? - is a necessary part of management's due diligence
The impact of losing frame relay network connectivity for 18-24 hours should be
calculated using the: - financial losses incurred by affected business units.
In assessing risk, it is MOST essential to: - consider both monetary value and likelihood
of loss.
The PRIMARY goal of a corporate risk management program is to ensure that an
organization's: - stated objectives are achievable.
Before conducting a formal risk assessment of an organization's information resources,
an information security manager should FIRST: - map the major threats to business
objectives.
Which of the following is MOST essential for a risk management program to be
effective? - detection of new risk
