Which of the following is the BEST course of action if the business activity residual risk is lower than the acceptable risk level?

Monitor the effectiveness of controls

Update the risk assessment framework

Review the risk probability and impact

Which of the following is the responsibility of a risk owner?

Implementing risk treatment plan activities with control owners

Evaluating control effectiveness

Approving the selection of risk mitigation measures

Which of the following is the MOST important requirement for a successful security program?

Management decision on asset value

Mapping security processes to baseline security standards

Penetration testing on key systems

Management decision on asset value

Nondisclosure agreements (NDA) with employees

A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server Which of the following would MOST effectively allow the hospital to avoid paying the ransom?

A properly tested offline backup system

Employee training on ransomware

A properly tested offline backup system

A continual server replication process

When developing a business case to justify an information security investment, which of the following would BEST enable an informed decision by senior management?

The results of a risk assessment

The information security strategy

Losses due to security incidents

The results of a risk assessment

Security investment trends in the industry

Which risk is introduced when using only sanitized data for the testing of applications?

Unexpected outcomes may arise in production

Data loss may occur during the testing phase.

Data disclosure may occur during the migration event

Unexpected outcomes may arise in production

Breaches of compliance obligations will occur.

Which of the following is the BEST method to ensure compliance with password standards?

Automated enforcement of password syntax rules

Implementing password-synchronization software

Using password-cracking software

Automated enforcement of password syntax rules

Management has announced the acquisition of a new company. The information security manager of the parent company is concerned that conflicting access rights may cause critical information to be exposed during the integration of the two companies. To BEST address this concern, the information security manager should:

perform a risk assessment of the access rights.

review access rights as the acquisition integration occurs.

perform a risk assessment of the access rights.

escalate concerns for conflicting access rights to management.

implement consistent access control standards.

An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an action plan to achieve compliance.Which of the following would provide the MOST useful information for planning purposes?

Results from a business impact analysis (BIA)

Deadlines and penalties for noncompliance

An inventory of security controls currently in place

A newly appointed information security manager of a retailer with multiple stores discovers an HVAC (heating, ventilation, and air conditioning) vendor has remote access to the stores to enable real-time monitoring and equipment diagnostics. Which of the following should be the information security manager's FIRST course of action?

Conduct a penetration test of the vendor.

Review the vendor's technical security controls

Disconnect the real-time access

When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a security incident is that it helps to:

develop effective escalation and response procedures.

the incident response process to stakeholders

adequately staff and train incident response teams.

develop effective escalation and response procedures.

make tabletop testing more effective.

Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations?

Review and update existing security policies.

Require remote wipe capabilities for devices.

Conduct security awareness training.

Review and update existing security policies.

Enforce passwords and data encryption on the devices.

An organization permits the storage and use of its critical and sensitive information on employee-owned smartphones. Which of the following is the BEST security control?

Establishing the authority to remote wipe

Developing security awareness training

Requiring the backup of the organization's data by the user

Monitoring how often the smartphone is used

Labeling information according to its security classification:

enhances the likelihood of people handling information securely.

reduces the number and type of countermeasures required.

reduces the need to identify baseline controls for each classification.

affects the consequences if information is handled insecurely.

Which of the following is the GREATEST benefit of information asset classification?

Providing a basis for implementing a need-to-know policy

Helping to determine the recovery point objective (RPO)

Providing a basis for implementing a need-to-know policy

Supporting segregation of duties

An organization's security policy is to disable access to USB storage devices on laptops and desktops. Which of the following is the STRONGEST justification for granting an exception to the policy?

The benefit is greater than the potential risk.

USB storage devices are enabled based on user roles.

Users accept the risk of noncompliance.

Access is restricted to read-only.

What is the PRIMARY objective of performing a vulnerability assessment following a business system update?

Review the effectiveness of controls

Improve the change control process.

Review the effectiveness of controls

Threat and vulnerability assessments are important PRIMARILY because they are:

used to establish security investments

the basis for setting control objectives.

elements of the organization's security posture.

An organization is aligning its incident response capability with a public cloud service provider. What should be the information security manager's FIRST course of action?

Review the provider's incident definitions and notification criteria.

Identify the skill set of the provider's incident response team.

Evaluate the provider's audit logging and monitoring controls.

Review the provider's incident definitions and notification criteria.

Update the incident escalation process.

Which of the following BEST provides an information security manager with sufficient assurance that a service provider complies with the organization's information security requirements?

The ability to i third-party supplier's IT systems and processes

Alive demonstration of the third-party supplier's security capabilities

The ability to i third-party supplier's IT systems and processes

Third-party security control self-assessment (CSA) results

An independent review report indicating compliance with industry standards

Which of the following should be the FIRST step in developing an information security strategy?

Perform a gap analysis based on the current state

Create a roadmap to identify security baselines and controls.

Identify key stakeholders to champion information security.

Determine acceptable levels of information security risk.

To help ensure that an information security training program is MOST effective, its contents should be:

focused on information security policy.

When developing a categorization method for security incidents, the categories MUST:

be created by the incident handler.

align with reporting requirements.

Which of the following is MOST important to have in place to help ensure an organization's cybersecurity program meets the needs of the business?

Information security governance

Information security awareness training

Information security governance

An information security manager has been tasked with developing materials to update the board, regulatory agencies, and the media about a security incident. Which of the following should the information security manager do FIRST?

Invoke the organization's incident response plan.

Set up communication channels for the target audience.

Determine the needs and requirements of each audience.

Create a comprehensive singular communication

Invoke the organization's incident response plan.

Which of the following would be MOST useful to help senior management understand the status of information security compliance?

Key performance indicators (KPIs)

Business impact analysis (BIA) results

An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:

security requirements for the process being outsourced.

service level agreements (SLAs)

security requirements for the process being outsourced.

Which of the following BEST facilitates the effective execution of an incident response plan?

The response team is trained on the plan

The plan is based on risk assessment results.

The response team is trained on the plan

The plan is based on industry best practice.

The incident response plan aligns with the IT disaster recovery plan (DRP).

Which of the following should be the PRIMARY basis for a severity hierarchy for information security incident classification?

Adverse effects on the business

Legal and regulatory requirements

The MOST important element in achieving executive commitment to an information security governance program is:

established security strategies.

An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative?

Assess the security risk associated with the use of social networks.

Establish processes to publish content on social networks.

Assess the security risk associated with the use of social networks.

Conduct vulnerability assessments on social network platforms.

Develop security controls for the use of social networks.

A risk owner has accepted a large amount of risk due to the high cost of controls. Which of the following should be the information security manager's PRIMARY focus in this situation?

Establishing a strong ongoing risk monitoring process

Presenting the risk profile for approval by the risk owner

Conducting an independent review of risk responses

Updating the information security standards to include the accepted risk

Which is following should be an information security manager's PRIMARY focus during the development of a critical system storing highly confidential data?

Ensuring the amount of residual risk is acceptable

Reducing the number of vulnerabilities detected

Ensuring the amount of residual risk is acceptable

Avoiding identified system threats

Complying with regulatory requirements

An organization has identified an increased threat of external brute force attacks in its environment. Which of the following is the MOST effective way to mitigate this risk to the organization's critical systems?

Implement multi-factor authentication.

Increase the frequency of log monitoring and analysis.

Implement a security information and event management system (SIEM),

Increase the sensitivity of intrusion detection systems (IDSs).

Isaca CISM Practice Test 8 - Free Online Exam Prep & Questions

Which of the following should be an information security manager's FIRST course of action when a newly introduced privacy regulation affects the business?

Become a Premium Member for full access

Unlock Premium Member

Isaca CISM Practice Test 8

Question

Isaca CISM Practice Tests

Practice Tests