CISM - Test Practice 2022 with complete solution

Document Content and Description Below

CISM - Test Practice 2022 with complete solution Security governance is most concerned with: A. Security policy B. IT policy C. Security strategy D. Security executive -Answer- C. Security Stra... tegy A gaming software startup company does not employ penetration testing of its software. This is an example of: A. High tolerance of risk B. Noncompliance C. Irresponsibility D. Outsourcing -Answer- A. High tolerance of risk An organization's board of directors wants to see quarterly metrics on risk reduction. What would be the best metric for this purpose? A. Number of firewall rules triggered B. Viruses blocked by the firewall C. Packets dropped by the firewall D. Time to patch vulnerabilities on critical servers -Answer- D. Time to patch vulnerabilities on critical servers Which of the following metrics is the best example of a leading indicator? A. Average time to mitigate security incidents B. Increase in the number of attacks blocked by the intrusion prevention system (IPS) C. Increase in the number of attacks blocked by the firewall D. Percentage of critical servers being patched within service level agreements (SLAs) -Answer- D. Percentage of critical servers being patched within service level agreements (SLAs) What are the elements of the business model for information security (BMIS)? A. Culture, governing, architecture, emergence, enabling and support, human factors B. People, process, technology C. Organization, people, process, technology D. Financial, customer, internal processes, innovation, and learning -Answer- C. Organization, people, process, technology The best definition of a strategy is: A. The objective to achieve a plan B. The plan to achieve an objective C. The plan to achieve business alignment D. The plan to reduce risk -Answer- B. The plan to achieve an objective The primary factor related to the selection of a control framework is: A. Industry vertical B. Current process maturity level C. Size of the organization D. Compliance level -Answer- A. Industry vertical As part of understanding the organization's current state, a security strategist is examining the organization's security policy. What does the policy tell the strategist? A. the level of management commitment to security B. The compliance level of the organization C. The maturity level of the organization D. None of these -Answer- D. None of these While gathering and examining various security-related business records, the security manager has determined that the organization has no security incident log. What conclusion can the security manager make from this? A.The organization does not have security incident detection capabilities B. The organization has not yet experienced a security incident C. The organization is recording security incidents in its risk register D. The organization has effective preventive and detective controls. -Answer- A. The organization does not have security incident detection capabilities The purpose of a balanced scorecard is to: A. Measure the efficiency of a security organization B. Evaluate the performance of individual employees C. Benchmark a process in the organization against peer organizations D. Measure organizational performance and effectiveness against strategic goals -Answer- D. Measure organizational performance and effectiveness against strategic goals A security strategist has examined a business process and has determined that personnel who perform the process do so consistently, but there is no written process document. The maturity level of this process is: A. Initial B. Repeatable C. Defined D. Managed -Answer- B. Repeatable [Show More]

Last updated: 2 years ago

Preview 1 out of 10 pages