CISM - Information Security Governance Flash
When the security risk assessment result was reviewed, it was found that the rationale for risk rating varies by department. Which of the following will BEST improve this situation?
Apply common risk measurement criteria to each department
Which of the following choices is MOST likely to achieve cost-effective risk mitigation across the organization?
Assurance process integration
To justify its ongoing information security budget, which of the following would be of MOST use to the information security department?
Cost-benefit analysis
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
Feasibility
An organization is using a vendor-supplied critical application which has a maximum password length that does not comply with organizational security standards. Which of the following approaches BEST helps mitigate the weakness?
Introduce compensating controls.
Which of the following attributes would be MOST essential to developing effective metrics?
Meaningful to the recipient
How should an information security manager balance the potentially conflicting requirements of an international organization's security standards with local regulation?
Negotiate a local version of the organization standards.
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
Proportionality
Which of the following actions should the information security manager take FIRST on finding that current controls are not sufficient to prevent a serious compromise?
Reassess the risk.
An organization has recently developed and approved an access control policy. Which of the following will be MOST effective in communicating the access control policy to the employees?
Requiring employees to formally acknowledge receipt of the policy
Which of the following will require the MOST effort when supporting an operational information security program?
Reviewing and modifying procedures
Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts?
Security goals should be derived from business goals.
Which of the following is the MOST effective way to measure strategic alignment of an information security program?
Survey business stakeholders
During a stakeholder meeting, a question was asked regarding who is ultimately accountable for the protection of sensitive data. Assuming that all of the following roles exist in the enterprise, which would be the MOST appropriate answer?
The board of directors
When assessing the maturity of the risk management process, which of the following findings raises the GREATEST concern?
The desired state is not based on the business objectives.
What is the MOST likely reason that an organizational policy can be eliminated?
There is no credible threat.
Responsibility for information security and related activities involves multiple departments. What is the PRIMARY reason the information security manager should develop processes that integrate these roles and responsibilities?
To mitigate the tendency for security gaps to exist between assurance functions
Which of the following BEST assists the information security manager in identifying new threats to information security?
Understanding the flow and classification of information used by the organization
Periodically analyzing the gap between controls and the control objectives is necessary to: address changes in exposure.
address changes in exposure.
The MOST appropriate role for senior management in supporting information security is the:
approval of policy statements and funding.
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
assess whether existing controls meet the regulation.
The MOST basic requirement for an information security governance program is to:
be aligned with the corporate business strategy.
In order to highlight to management, the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
conduct a risk assessment.
An enterprise is transferring its IT operations to an offshore location. An information security manager should PRIMARILY focus on:
conducting a risk assessment.
An information security manager at a global organization has to ensure that the local information security program will initially be in compliance with the:
data privacy policy where data are collected.
Obtaining senior management support for establishing a warm site can BEST be accomplished by:
developing a business case.
An organization that appoints a chief information security officer (CISO):
improves collaboration among the ranks of senior management.
The MOST complete business case for security solutions is one that:
includes appropriate justification.
The information security policies of an organization require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should:
initiate an exception process for sending the report without encryption.
Control baselines are MOST directly related to the:
organization's risk appetite.
"Sensitive data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure" is a statement that would MOST likely be found in a:
policy.
Risk management needs to be approached as a regular, ongoing program or activity primarily because:
the environment changes.
Acceptable levels of information security risk should be determined by:
the steering committee.
Information security policy development should PRIMARILY be based on:
threats.
Effective governance of enterprise security is BEST ensured by:
using a top-down approach.
Which of the following would BEST address the risk of data leakage?
Acceptable use policies
Which of the following is the BEST basis for determining the criticality and sensitivity of information assets?
An impact assessment
From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities?
Better accountability
Which of the following elements is MOST important when developing an information security strategy?
Defined objectives
There is a concern that lack of detail in the recovery plan may prevent an organization from meeting its required time objectives when a security incident strikes. Which of the following is MOST likely to ensure the recovery time objectives would be met?
Delegation of authority in recovery execution
Which of the following is the MOST appropriate task for a chief information security officer to perform?
Develop an information security strategy
Senior management is reluctant to budget for the acquisition of an intrusion prevention system. The chief information security officer should do which of the following activities?
Develop and present a business case for the project.