CISM Information Security Governance 3

Question 1

Which of the following BEST illustrates an effective security governance reporting structure?

Accepted Answer

CISO reports to both the CEO and board with regular updates

Answer

CISO reports to the CTO only

Answer

Security reports are shared only within the IT department

Answer

Security metrics are reported only after incidents occur

Question 2

An organization wants to ensure its security governance program remains effective over time. The BEST mechanism is:

Accepted Answer

Continuous monitoring and periodic program reviews

Answer

One-time security policy review at program launch

Answer

Outsourcing all security functions to a managed provider

Answer

Implementing a zero-trust network architecture

Question 3

Which of the following represents a governance control rather than a technical control?

Accepted Answer

Acceptable use policy

Answer

Intrusion detection system

Answer

Encryption of data at rest

Answer

Multi-factor authentication

Question 4

A newly appointed CISM discovers the organization has no formal security governance structure. The FIRST step should be to:

Accepted Answer

Obtain executive sponsorship and establish governance authority

Answer

Deploy endpoint detection and response tools

Answer

Conduct a security awareness training campaign

Answer

Perform a full network vulnerability scan

Question 5

Which of the following BEST defines 'security culture' within a governance context?

Accepted Answer

The shared values, behaviors, and attitudes toward security among employees

Answer

The technical security tools deployed across the organization

Answer

The number of security policies documented by the organization

Answer

The frequency of penetration testing conducted annually

Question 6

When assigning ownership of information assets, the MOST appropriate owner is typically:

Accepted Answer

The business unit manager responsible for the asset

Answer

The IT security team

Answer

The external auditor

Answer

The system administrator