CISM Domain 1 Questions Set-3: INFORMATION SECURITY GOVERNANCE

21) Who is typically responsible for making risk treatment decisions in a properly functioning risk        management program?
     a) Chief Information Security Officer (CISO)
     b) Chief Executive Officer (CEO)
     c) Chief Financial Officer (CFO)
     d) Chief Operating Officer (COO)

22) Do organizations usually have a uniform risk tolerance level across different business          functions and security aspects?
     a) Yes, organizations have a uniform risk tolerance level.
     b) No, organizations have varying risk tolerance levels.
     c) Risk tolerance is determined solely by the CISO.
     d) Risk tolerance is determined solely by the CEO.

23) What is risk appetite defined as by ISACA?
     a) The level of risk that an organization can tolerate without its continued existence being called into question.
     b) The objective amount of loss that an organization is willing to accept.
     c) The level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives.
     d) The formal system of accountability and traceability of risk decisions back to department heads and business executives.

24) How do risk-averse organizations typically approach risk appetite documentation?
     a) They make individual risk decisions based on gut feeling.
     b) They have a formal system of accountability and traceability of risk decisions.
     c) They rely on customer mandates to document and articulate risk posture and appetite.
     d) They define risk appetite in concrete terms only if they are highly regulated organizations.

25) Which type of metrics can address the question of "How much security is enough?"
     a) Firewall metrics
     b) Key risk indicators (KRIs)
     c) Key goal indicators (KGIs)
     d) Key performance indicators (KPIs)

26) Which type of metrics are used to assess the effectiveness or alignment of an organization's overall security program?
     a) Firewall metrics
     b) Key risk indicators (KRIs)
     c) Key goal indicators (KGIs)
     d) Key performance indicators (KPIs)

27) Which type of metrics are used to measure the efficiency or effectiveness of security-related activities?
     a) Firewall metrics
     b) Key risk indicators (KRIs)
     c) Key goal indicators (KGIs)
     d) Key performance indicators (KPIs)

28) Which type of metrics are associated with the measurement of risk?
     a) Firewall metrics
     b) Key risk indicators (KRIs)
     c) Key goal indicators (KGIs)
     d) Key performance indicators (KPIs)

29) Which type of metrics are used to portray the attainment of strategic goals?
     a) Firewall metrics
     b) Key risk indicators (KRIs)
     c) Key goal indicators (KGIs)
     d) Key performance indicators (KPIs)

30) How does the alignment of a security program with the organization's mission, strategy, and goals impact risk appetite?
     a) It has no impact on risk appetite.
     b) It reduces risk appetite.
     c) It increases risk appetite.
     d) It helps define risk appetite.

Comments

Post a Comment

Popular posts from this blog

CISM Domain 1 Questions Set-1: INFORMATION SECURITY GOVERNANCE

1. Which processes are typically included in information security governance? a) Personnel management, sourcing, and change management b) Configuration management, access management, and business continuity planning c) Risk management, vulnerability management, and incident management d) All of the above 2. What is a key component of information security governance? a) Continuous improvement of security processes b) Effective organization structure and role definition c) Balanced scorecard and metrics monitoring d) All of the above 3. Why do organizations that lack information security face a business problem? a)  Poor business continuity planning b) Inadequate technology solutions c) Insufficient personnel management d) Lack of understanding and commitment by senior executives 4. What is the main challenge faced by organizations in managing information security at the boardroom level? a) Lack of awareness or cybersecurity savviness b) Inadequ...
Read more

CISM Domain 1 Answers Set-2: INFORMATION SECURITY GOVERNANCE

11)      What is the purpose of security governance in an organization? Correct Answer: b) To align the organization's security program with the needs of the business. Explanation: Security governance ensures that the organization's security program is strategically aligned with the business requirements, ensuring that information security supports the overall goals and objectives of the organization. 12)      How are priorities in the security program determined? Correct Answer: d) Priorities should flow directly from the organization's mission, objectives, and goals. Explanation: The priorities in the security program should be derived from the overall mission, objectives, and goals of the organization. What is important to the organization as a whole should also be important to information security.   13)      What are standards in the context of security governance? Correct Answer: d) Standards help t...
Read more