CISM 3 1st - 3rd Grade Quiz

1.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

A. head of internal audit.

B. chief operations officer (COO).

C. chief technology officer (CTO).

D. legal counsel.

Answer explanation

Explanation: The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.

2.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

A. Update platform-level security settings

B. Conduct disaster recovery test exercises

C. Approve access to critical financial systems

D. Develop an information security strategy paper

Answer explanation

Explanation: Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.

3.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

A. assessing the frequency of incidents.

B. quantifying the cost of control failures.

C. calculating return on investment (ROI) projections.

D. comparing spending against similar organizations.

Answer explanation

Explanation: Calculating the return on investment (ROI) will most closely align security with the impact on the bottom line. Frequency and cost of incidents are factors that go into determining the impact on the business but, by themselves, are insufficient. Comparing spending against similar organizations can be problematic since similar organizations may have different business goals and appetites for risk.

4.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

A. aligned with the IT strategic plan.

B. based on the current rate of technological change.

C. three-to-five years for both hardware and software.

D. aligned with the business strategy.

Answer explanation

Explanation: Any planning for information security should be properly aligned with the needs of the business. Technology should not come before the needs of the business, nor should planning be done on an artificial timetable that ignores business needs.

5.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Which of the following is the MOST important information to include in a strategic plan for information security?

A. Information security staffing requirements

B. Current state and desired future state

C. IT capital investment requirements

D. information security mission statement

Answer explanation

Explanation: It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.

6.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Information security projects should be prioritized on the basis of:

A. time required for implementation.

B. impact on the organization.

C. total cost for implementation.

D. mix of resources required.

Answer explanation

Explanation: Information security projects should be assessed on the basis of the positive impact that they will have on the organization. Time, cost and resource issues should be subordinate to this objective.

7.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Which of the following is the MOST important information to include in an information security standard?

A. Creation date

B. Author name

C. Initial draft approval date

D. Last review date

Answer explanation

Explanation: The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard. The name of the author as well as the creation and draft dates are not that important.

8.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Which of the following would BEST prepare an information security manager for regulatory reviews?

A. Assign an information security administrator as regulatory liaison

B. Perform self-assessments using regulatory guidelines and reports

C. Assess previous regulatory reports with process owners input

D. Ensure all regulatory inquiries are sanctioned by the legal department

Answer explanation

Explanation: Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but this does not help prepare for a regulatory review.

9.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.

B. establish baseline standards for all locations and add supplemental standards as required.

C. bring all locations into conformity with a generally accepted set of industry best practices.

D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.

Answer explanation

Explanation: It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approachג€"forcing all locations to be in compliance with the regulations places an undue burden on those locations.

10.

MULTIPLE CHOICE QUESTION

30 sec • 5 pts

Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

A. Ensure that all IT risks are identified

B. Evaluate the impact of information security risks

C. Demonstrate that IT mitigating controls are in place

D. Suggest new IT controls to mitigate operational risk

Answer explanation

Explanation: The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.

Create a free account and access millions of resources

Similar Resources on Quizizz

Popular Resources on Quizizz

Discover more resources for Other