CISM Information Security Program Development 2

Question 1

A CISM is implementing a security control framework. Which of the following is MOST important when selecting a framework?

Accepted Answer

It should align with the organization's risk profile and industry requirements

Answer

Framework selection should be based on alignment with the organization's specific risk profile, regulatory environment, and industry context.

Question 2

Which of the following BEST describes a 'defense-in-depth' strategy in an information security program?

Accepted Answer

Implementing multiple layers of controls so that failure of one does not expose assets

Answer

Defense-in-depth uses multiple overlapping layers of controls so that no single point of failure can compromise security.

Question 3

When building a security program, which of the following activities should be performed on a CONTINUOUS basis?

Accepted Answer

Monitoring of controls effectiveness and emerging threats

Answer

Continuous monitoring of control effectiveness and the threat landscape ensures the security program remains relevant and effective as conditions change.

Question 4

A CISM is developing a vulnerability management program. The FIRST step should be:

Accepted Answer

Defining the scope, assets, and criticality tiers to be covered

Answer

Defining the scope, assets covered, and their criticality ensures the vulnerability management program is structured and resources are focused appropriately.

Question 5

Which of the following BEST supports a 'security by design' approach in program development?

Accepted Answer

Integrating security requirements into the project lifecycle from inception

Answer

Security by design integrates security requirements early in the system development lifecycle, reducing cost and complexity compared to retrofitting controls later.

CISM - Certified Information Security Manager Practice Test

CISM - Certified Information Security Manager Practice Test

CISM Information Security Program Development 2