CISM Information Security Program Development

Question 1

When developing an information security program, a CISM should FIRST:

Accepted Answer

Define the security program's scope and objectives based on business needs

Answer

Procure security tools and technologies

Answer

Hire additional security analysts

Answer

Conduct employee phishing simulations

Question 2

Which of the following is MOST critical to the long-term success of an information security program?

Accepted Answer

Ongoing executive sponsorship and adequate resourcing

Answer

Use of the latest security technologies

Answer

100% employee compliance with all policies

Answer

Elimination of all third-party relationships

Question 3

A CISM is selecting security controls for a new information security program. Controls should PRIMARILY be selected based on:

Accepted Answer

Risk assessment results and business requirements

Answer

Vendor recommendations and marketing materials

Answer

What peer organizations have implemented

Answer

The lowest acquisition and implementation cost

Question 4

Which of the following BEST describes the purpose of a security awareness training program?

Accepted Answer

To educate employees about threats and their role in protecting information

Answer

To replace technical security controls

Answer

To satisfy regulatory requirements only

Answer

To test employees with unannounced phishing attacks

Question 5

A CISM is developing a security roadmap. The roadmap should be aligned to:

Accepted Answer

The organization's strategic business plan and risk tolerance

Answer

The latest cybersecurity threat intelligence reports

Answer

Industry peer benchmarks and best practices only

Answer

The IT department's annual budget cycle

Question 6

Which metric is MOST useful for measuring the effectiveness of a security awareness program?

Accepted Answer

Reduction in security incidents attributable to human error over time

Answer

Number of employees who completed training modules

Answer

Total cost of the training program delivery

Answer

Number of policies employees acknowledged