Set 3
Click anywhere on the flashcard to reveal the answer.
Which policy defines the level of protection that should be provided for each category of data based on the business value?
The data classification policy
What should be the prime basis for determining the classification of information assets?
Criticality and sensitivity
What should be the prime basis for determining the criticality and sensitivity of information assets?
Impact assessment
What is the most important factor to achieve proportionality in the protection of information assets?
Asset classification
What is the first step in performing information risk analysis?
Preparing an asset inventory
What is the best tool for determining the priority of restoration for applications?
Business impact analysis (BIA)
Recovery time objectives (RTOs) are primarily based on:
Business impact analysis (BIA)
What are the advantages of a centralized security function?
• Easy to manage and control
• Improved compliance with organizational policies and standards
• Reduction of the total cost of ownership
Which document contains a high-level statement indicating the direction of management?
A policy
What is the initial stage of information security program development?
Determining the security needs and requirements on the basis of discussion with concerned stakeholders, such as business units, legal, HR, and finance
Who should provide the final approval of security patch implementation?
The business asset owner
What is the prime objective of metrics?
Decision-making. Based on effective metrics, organizations evaluate and measure the achievement and performance of various processes and controls. Effective metrics are primarily used for security-related decision-making.
What is the most significant attribute of a good information security metric?
The metric should be meaningful to the recipient.
In which phase of the SDLC should metrics be designed to assess the effectiveness of the system over time?
The design phase
What is the most useful metric to determine the effectiveness of a log monitoring process?
The percentage of unauthorized penetration attempts investigated
What is the risk of “fail open” in case of a control failure?
Confidentiality and integrity may be compromised.
In which situation is continuous monitoring more cost effective?
In areas where risk is high (i.e., incidents may have high impact and frequency)
What is the best way to define minimum requirements for security?
Security baseline
What is the best way to ensure uniform security arrangements across the organization?
Security baseline
What is the most effective method to change an organization’s culture to one that is more security conscious?
Security awareness campaigns
What is the primary objective of security awareness?
Influence employee behavior toward security consciousness, thereby decreasing the number of security incidents.
What is the primary concern about outsourcing to offshore locations?
Privacy laws and regulatory requirements
What is the best way to determine whether the terms of the contract are adhered to in accordance with the service-level agreement (SLA)?
Independent audits
What are the most important actions prior to contracting a third party to perform a penetration test against an organization?
• To ensure that the goals and objectives of the test are clearly defined
• To ensure that the rules of engagement are clearly defined
As an information security manager, you need to ensure that a network is secured against intrusion from any external sources. What should be your best course of action?
To perform periodic penetration testing
CISM Exam Prep Guide 2nd Edition
By Hemang Doshi
Buy the book to unlock all practice questions, flashcards, and exam tips.
Buy It Here