CISM Information Security Governance 2

Question 1

Which framework is MOST commonly used to establish information security governance in US enterprises?

Accepted Answer

COBIT

Answer

PCI DSS

Answer

OWASP Top 10

Answer

CVE

Question 2

When developing a security governance program, a CISM should FIRST:

Accepted Answer

Understand the organization's business strategy and objectives

Answer

Purchase security tools and technologies

Answer

Hire additional security staff

Answer

Conduct a gap analysis of current controls

Question 3

Which of the following BEST describes the relationship between IT governance and information security governance?

Accepted Answer

Information security governance is a subset of IT governance

Answer

They are identical and interchangeable

Answer

IT governance reports to information security governance

Answer

They operate independently with no overlap

Question 4

A CISM is presenting a security governance roadmap to the CEO. The presentation should PRIMARILY focus on:

Accepted Answer

Security risk in terms of business impact and strategic alignment

Answer

Technical vulnerability details and patch timelines

Answer

Specific firewall configurations and network diagrams

Answer

Number of security incidents detected last quarter

Question 5

Which of the following is a KEY output of a mature information security governance program?

Accepted Answer

Security metrics aligned to business objectives

Answer

Zero security incidents

Answer

100% patch compliance

Answer

Elimination of all third-party vendors

Question 6

Separation of duties in security governance is PRIMARILY intended to:

Accepted Answer

Reduce the risk of fraud and error by distributing responsibilities

Answer

Speed up security approvals

Answer

Decrease the number of security staff needed

Answer

Automate compliance reporting