CISM – EXAM PRACTICE COMPLETELY SOLVED
(VERIFIED ANSWERS 100%)
Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive - ANSWER C. Security Strategy
A gaming software startup company does not employ penetration testing of its software. This is
an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing - ANSWER A. High tolerance of risk
An organization's board of directors wants to see quarterly metrics on risk reduction. What
would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by the firewall
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers - ANSWER D. Time to patch vulnerabilities
on critical servers
Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the intrusion prevention system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level agreements (SLAs) -
ANSWER D. Percentage of critical servers being patched within service level agreements
(SLAs)
What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning - ANSWER C. Organization,
people, process, technology
The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk - ANSWER B. The plan to achieve an objective
, The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level - ANSWER A. Industry vertical
As part of understanding the organization's current state, a security strategist is examining the
organization's security policy. What does the policy tell the strategist?
A. the level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these - ANSWER D. None of these
While gathering and examining various security-related business records, the security manager
has determined that the organization has no security incident log. What conclusion can the
security manager make from this?
A.The organization does not have security incident detection capabilities
B. The organization has not yet experienced a security incident
C. The organization is recording security incidents in its risk register
D. The organization has effective preventive and detective controls. - ANSWER A. The
organization does not have security incident detection capabilities
The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer organizations
D. Measure organizational performance and effectiveness against strategic goals - ANSWER D.
Measure organizational performance and effectiveness against strategic goals
A security strategist has examined a business process and has determined that personnel who
perform the process do so consistently, but there is no written process document. The maturity
level of this process is:
A. Initial
B. Repeatable
C. Defined
D. Managed - ANSWER B. Repeatable
A security strategist has examined several business processes and has found that their individual
maturity levels range from Repeatable to Optimizing. What is the best future state for these
business processes?
A. All processes should be changed to Repeatable.
B. All processes should be changed to Optimizing
C. There is insufficient information to determine the desired end states of these processes
D. Processes that are Repeatable should be changed to Defined. - ANSWER C. There is
insufficient information to determine the desired end states of these processes
(VERIFIED ANSWERS 100%)
Security governance is most concerned with:
A. Security policy
B. IT policy
C. Security strategy
D. Security executive - ANSWER C. Security Strategy
A gaming software startup company does not employ penetration testing of its software. This is
an example of:
A. High tolerance of risk
B. Noncompliance
C. Irresponsibility
D. Outsourcing - ANSWER A. High tolerance of risk
An organization's board of directors wants to see quarterly metrics on risk reduction. What
would be the best metric for this purpose?
A. Number of firewall rules triggered
B. Viruses blocked by the firewall
C. Packets dropped by the firewall
D. Time to patch vulnerabilities on critical servers - ANSWER D. Time to patch vulnerabilities
on critical servers
Which of the following metrics is the best example of a leading indicator?
A. Average time to mitigate security incidents
B. Increase in the number of attacks blocked by the intrusion prevention system (IPS)
C. Increase in the number of attacks blocked by the firewall
D. Percentage of critical servers being patched within service level agreements (SLAs) -
ANSWER D. Percentage of critical servers being patched within service level agreements
(SLAs)
What are the elements of the business model for information security (BMIS)?
A. Culture, governing, architecture, emergence, enabling and support, human factors
B. People, process, technology
C. Organization, people, process, technology
D. Financial, customer, internal processes, innovation, and learning - ANSWER C. Organization,
people, process, technology
The best definition of a strategy is:
A. The objective to achieve a plan
B. The plan to achieve an objective
C. The plan to achieve business alignment
D. The plan to reduce risk - ANSWER B. The plan to achieve an objective
, The primary factor related to the selection of a control framework is:
A. Industry vertical
B. Current process maturity level
C. Size of the organization
D. Compliance level - ANSWER A. Industry vertical
As part of understanding the organization's current state, a security strategist is examining the
organization's security policy. What does the policy tell the strategist?
A. the level of management commitment to security
B. The compliance level of the organization
C. The maturity level of the organization
D. None of these - ANSWER D. None of these
While gathering and examining various security-related business records, the security manager
has determined that the organization has no security incident log. What conclusion can the
security manager make from this?
A.The organization does not have security incident detection capabilities
B. The organization has not yet experienced a security incident
C. The organization is recording security incidents in its risk register
D. The organization has effective preventive and detective controls. - ANSWER A. The
organization does not have security incident detection capabilities
The purpose of a balanced scorecard is to:
A. Measure the efficiency of a security organization
B. Evaluate the performance of individual employees
C. Benchmark a process in the organization against peer organizations
D. Measure organizational performance and effectiveness against strategic goals - ANSWER D.
Measure organizational performance and effectiveness against strategic goals
A security strategist has examined a business process and has determined that personnel who
perform the process do so consistently, but there is no written process document. The maturity
level of this process is:
A. Initial
B. Repeatable
C. Defined
D. Managed - ANSWER B. Repeatable
A security strategist has examined several business processes and has found that their individual
maturity levels range from Repeatable to Optimizing. What is the best future state for these
business processes?
A. All processes should be changed to Repeatable.
B. All processes should be changed to Optimizing
C. There is insufficient information to determine the desired end states of these processes
D. Processes that are Repeatable should be changed to Defined. - ANSWER C. There is
insufficient information to determine the desired end states of these processes
