FREE Certified Information Security Manager (CISM) MCQ Questions and Answers

Question 1

What should a risk management strategy's main goal be?

Accepted Answer

Identify credible risks and reduce them to an acceptable level

Answer

The main goal of a risk management strategy is to identify risks, then reduce those risks to levels that upper management can accept.

The phrase "determine the organization's risk appetite" is erroneous because, while crucial and necessary for a risk management program to operate correctly, determining risk appetite is not the fundamental goal of a risk management strategy. It is erroneous to say, "Identify credible risks and transfer them to an external entity," when many other potential outcomes for hazards can be discovered. It is erroneous to say "remove credible dangers," as risks can only be decreased to tolerable levels.

Question 2

A manufacturing company's CISO, Linda, is developing a new cyber-risk governance procedure. What should Linda do initially to ensure the success of this process?

Accepted Answer

Charter a security steering committee consisting of IT, security, and business leaders

Answer

The best course of action is to establish a chartered information security steering group with representatives from business, IT, and security leaders. Business executives need to get involved and participate in discussions and decisions if security governance is to be successful.

It is false to say that you should "develop a RACI matrix that outlines executive roles and responsibilities" since, while vital, a RACI matrix is only a small component of a formalized information security steering committee. It is erroneous to say, "Charter a security steering group made up of leaders in IT and cybersecurity." A security steering committee must also have business leaders on it. Because security governance, which is more than risk management, is the topic of this question, it is erroneous to say that you should "develop a risk management process comparable to what is found in ISO/IEC 27001."

Question 3

What procedures must be followed before a risk assessment can begin in an organization?

Accepted Answer

Determine scope, purpose, and criteria for the audit

Answer

Establishing an audit context is essential, according to ISO/IEC 27005 and other risk management standards. This entails choosing the audit's scope or the areas of the company that will be examined. Determining the risk assessment's goal, such as control coverage, control efficacy, or business process effectiveness, is also crucial. The criteria for the audit must then be decided.

Since any confirmation of qualifications would be made previous to this point, the phrases "Determine the qualifications of the firm that will execute the audit" and "Determine the qualifications of the person(s) who will perform the audit" are erroneous. It is erroneous to say, "Determine scope, application, and purpose for the audit," as an audit that was not necessary should not be carried out.

Question 4

A risk manager in an organization just finished a risk assessment. One of the conclusions was requested by executive management to be eliminated from the final report by the risk manager. What is demonstrated by this removal?

Accepted Answer

Risk acceptance

Answer

Despite being dubious, removing a risk finding from a report implies risk acceptance. However, it may go further than that, and in some professions, this is regarded as carelessness and negligence. Usually, a risk manager would oppose such a move and might think about documenting the situation or possibly making a formal protest.

The term "gerrymandering" is erroneous because it refers to the process of drawing election boundaries for governmental purposes. Internal politics is not the ideal response, even though the circumstance may illustrate internal politics. The term "risk avoidance" is erroneous because it refers to ceasing to engage in an activity that poses a risk.

Question 5

A new CISO is managing asset inventory processes at a financial services company. The company uses both on-premises and IaaS-based virtualization services. What method will efficiently identify all active assets?

Accepted Answer

Perform discovery scans on all networks.

Answer

Even if none of these methods is perfect, the best initial step is to run discovery scans across all networks. Even so, network engineers must be consulted to ensure that discovery scans in on-premises and IaaS systems scan all known networks. Interviewing system engineers to understand virtual machine management systems and collect inventory data from them are further helpful approaches.

It is erroneous to "get a list of all assets from the patch management platform," as patch management systems could not cover some assets in the organization's environment. It is erroneous to say, "Obtain a list of all assets from the patch management platform," as not all assets in the organization's environment may send log data to the SIEM. Because the company uses virtualization technology and IaaS-based platforms, counting servers in an on-premises data center will miss both virtual and IaaS-based assets; therefore, the instruction to "count all of the servers in each data center" is wrong.

CISM - Certified Information Security Manager Practice Test

CISM - Certified Information Security Manager Practice Test

FREE Certified Information Security Manager (CISM) MCQ Questions and Answers