CISM Compliance and Regulatory Requirements 3

Question 1

Which of the following BEST describes the role of a CISM in supporting a regulatory examination?

Accepted Answer

Coordinating the organization's response and ensuring requested evidence is complete and accurate

Answer

Personally answering all examiner questions without consulting legal counsel

Answer

Limiting examiner access to only the IT department

Answer

Delaying the examination until all identified gaps are remediated

Question 2

When a compliance requirement conflicts with a security best practice, a CISM should FIRST:

Accepted Answer

Analyze whether the compliance baseline is sufficient or whether compensating controls are needed

Answer

Implement the security best practice and ignore the compliance requirement

Answer

Follow the compliance requirement without any additional security measures

Answer

Escalate immediately to the CEO for a final decision

Question 3

Which of the following BEST describes the concept of 'privacy by design' in a compliance context?

Accepted Answer

Embedding privacy protections into systems and processes from the beginning of development

Answer

Encrypting all databases containing personal information

Answer

Obtaining user consent before collecting any personal data

Answer

Storing personal data in geographically restricted data centers

Question 4

A CISM discovers that a business unit is non-compliant with a key regulatory requirement. The MOST appropriate action is to:

Accepted Answer

Document the non-compliance, assess risk, and initiate a remediation plan with appropriate escalation

Answer

Immediately report the business unit to the regulator

Answer

Shut down the business unit's operations until compliance is achieved

Answer

Ignore the issue if the probability of examination is low

Question 5

Which of the following is a KEY benefit of integrating compliance and security program activities?

Accepted Answer

Duplication of effort is reduced and security controls serve multiple purposes simultaneously

Answer

Compliance activities can replace security risk assessments entirely

Answer

The organization can focus exclusively on regulatory requirements rather than threats

Answer

Compliance integration eliminates the need for external audits

Question 6

Which of the following MOST accurately describes a 'compensating control' in a regulatory compliance context?

Accepted Answer

An alternative control implemented when the primary required control cannot be met

Answer

A duplicate of an existing control added for extra protection

Answer

A technical control that replaces the need for security policies

Answer

A financial payment made to regulators in lieu of implementing required controls