CISM domain 2 tests Q/Answers
An information security manager performing a security review determines that
compliance with access control policies to the data center is inconsistent across
employees. The FIRST step to address this issue should be to: - assess the risk of
noncompliance.
The information security manager should treat regulatory compliance requirements as: -
just another risk.
Management decided that the organization will not achieve compliance with a recently
issued set of regulations. Which ofthe following is the MOST likely reason for the
decision? - the cost of compliance exceeds the cost of possible sanctions.
The value of information assets is BEST determined by: - individual business managers
It is important to classify and determine relative sensitivity of assets to ensure that: -
countermeasures are proportional to risk.
When performing an information risk analysis, an information security manager should
FIRST: - take an asset inventory.
The PRIMARY benefit of performing an information asset classification is to: - identify
controls commensurate (съизмерими) to risk.
Which program element should be implemented FIRST in asset classification and
control? - valuation
When performing a risk assessment, the MOST important consideration is that: - assets
have been identified and appropriately valued.
The MAIN reason why asset classification is important to a successful information
security program is because classification determines: - the appropriate level of
protection to the asset.
Who is responsible for ensuring that information is classified? - data owner
The PRIMARY reason for assigning classes of sensitivity and criticality to information
resources is to provide a basis for: - defining the level of access controls.
Which of the following would govern which information assets need more protection
than other information assets? - data classification
Which of the following is the MOST important to keep in mind when assessing the value
of information? - the potential financial loss
, The information classification scheme should: - consider possible impact of a security
breach.
After performing an asset classification, the information security manager is BEST able
to determine the: - impact of a compromise.
In controlling information leakage, management should FIRST establish: - an
information classification process.
Which of the following BEST supports the principle of security proportionality? - asset
classification
The value of tangible assets can be BEST determined by which of the following? - the
market value minus the book value
Which of the following is MOST important to achieve proportionality in the protection of
enterprise information systems? - asset classification
The MOST important reason for conducting periodic risk assessment is because: -
security risks are subject to frequent change.
In a business impact analysis, the value of an information system should be based on
the overall cost: - if unavailable.
Which of the following risks would BEST be assessed using qualitative risk assessment
techniques? - permanent decline in customer confidence
Which of the following is the PRIMARY reason for implementing a risk management
program? - is a necessary part of management's due diligence
The impact of losing frame relay network connectivity for 18-24 hours should be
calculated using the: - financial losses incurred by affected business units.
In assessing risk, it is MOST essential to: - consider both monetary value and likelihood
of loss.
The PRIMARY goal of a corporate risk management program is to ensure that an
organization's: - stated objectives are achievable.
Before conducting a formal risk assessment of an organization's information resources,
an information security manager should FIRST: - map the major threats to business
objectives.
Which of the following is MOST essential for a risk management program to be
effective? - detection of new risk
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller academicmaster. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $15.49. You're not tied to anything after your purchase.