CISM—Certified Information Security Manager - Part 229

1. Which of the following is MOST important to evaluate after completing a risk action plan?

A) Threat profile
B) Inherent risk
C) Residual risk
D) Vulnerability landscape



2. Which of the following would BEST enable an organization to effectively monitor the implementation of standardized configurations?

A) Implement a separate change tracking system to record changes to configurations.
B) Perform periodic audits to detect non-compliant configurations.
C) Develop policies requiring use of the established benchmarks.
D) Implement automated scanning against the stablished benchmarks.



3. The PRIMARY benefit of integrating information security risk into enterprise risk management is to:

A) ensure timely risk mitigation.
B) justify the information security budget.
C) obtain senior management's commitment.
D) provide a holistic view of risk.



4. Which of the following should be the information security manager'sNEXT step following senior management approval of the information security strategy?

A) Develop a security policy.
B) Develop a budget.
C) Perform a gap analysis.
D) Form a steering committee.



5. Management is questioning the need for several items in the information security budget proposal.Which of the following would have been MOST helpful prior to budget submission?

A) Benchmarking information security efforts of industry competitors
B) Obtaining better pricing from information security service vendors
C) Presenting a report of current threats to the organization
D) Educating management on information security best practices