CISM
Which of the following is the BEST approach to identify noncompliance issues with legal, regulatory, and contractual requirements? A. Risk assessment B. Business impact analysis (BIA) C. Vulnerability assessment D. Gap analysis
Answer D
In addition to business alignment and security ownership, which of the following is MOST critical for information security governance? A. Auditability of systems B. Compliance with policies C. Reporting of security metrics D. Executive sponsorship
Answer: A
The BEST way to encourage good security practices is to: A. schedule periodic compliance audits. B. discipline those who fail to comply with the security policy. C. recognize appropriate security behavior by individuals. D. publish the information security policy.
Answer: A
When creating an information security governance program, which of the following will BEST enable the organization to address regulatory compliance requirements? A. Guidelines for processes and procedures B. A security control framework C. An approved security strategy plan D. Input from the security steering committee
Answer: A
Which of the following MOST effectively helps an organization to align information security governance with corporate governance? A. Promoting security as enabler to achieve business objectives B. Prioritizing security initiatives based on IT strategy C. Adopting global security standards to achieve business goals D. Developing security performance metrics
Answer: A
Which of the following is MOST helpful for aligning security operations with the IT governance framework? A. Information security policy B. Security risk assessment C. Security operations program D. Business impact analysis (BIA)
Answer: A
Which of the following is the MOST effective way for senior management to support the integration of information security governance into corporate governance? A. Develop the information security strategy based on the enterprise strategy. B. Appoint a business manager as heard of information security. C. Promote organization-wide information security awareness campaigns. D. Establish a steering committee with representation from across the organization.
Answer: A
Which of the following is the MOST effective way to achieve the integration of information security governance into corporate governance? A. Align information security budget requests to organizational goals B. Ensure information security efforts support business goals C. Provide periodic IT balanced scorecards to senior management D. Ensure information security aligns with IT strategy
Answer: A
Which of the following is the PRIMARY reason an information security strategy should be deployed across an organization? A. To ensure that the business complies with security regulations B. To ensure that management's intent is reflected in security activities C. To ensure that employees adhere to security standards D. To ensure that security-related industry best practices are adopted
Answer: A
Which of the following should an information security manager do FIRST after learning about a new regulation that affects the organization? A. Evaluate the changes with legal counsel. B. Notify the affected business units. C. Assess the noncompliance risk. D. Inform senior management of the new regulation.
Answer: A
Before conducting a formal risk assessment of an organization's information resources, an information security manager should FIRST: A. map the major threats to business objectives. B. review available sources of risk information. C. identify the value of the critical assets. D. determine the financial impact if threats materialize.
Answer: A Explanation: Risk mapping or a macro assessment of the major threats to the organization is a simple first step before performing a risk assessment. Compiling all available sources of risk information is part of the risk assessment. Choices C and D are also components of the risk assessment process, which are performed subsequent to the threats-business mapping.
Which of the following should be included in an annual information security budget that is submitted for management approval? A. A cost-benefit analysis of budgeted resources B. All of the resources that are recommended by the business C. Total cost of ownership (TCO) D. Baseline comparisons
Answer: A Explanation: A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TCO may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.
Which of the following should be included in an annual information security budget that is submitted for management approval? A. A cost-benefit analysis of budgeted resources B. All of the resources that are recommended by the business C. Total cost of ownership (TCO) D. Baseline comparisons
Answer: A Explanation: A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TCO may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration? A. Laws and regulations of the country of origin may not be enforceable in the foreign country. B. A security breach notification might get delayed due to the time difference. C. Additional network intrusion detection sensors should be installed, resulting in an additional cost. D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
Answer: A Explanation: A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.
What is the PRIMARY role of the information security manager in the process of information classification within an organization? A. Defining and ratifying the classification structure of information assets B. Deciding the classification levels applied to the organization's information assets C. Securing information assets in accordance with their classification D. Checking if information assets have been classified properly
Answer: A Explanation: Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
Which of the following is a benefit of information security governance? A. Reduction of the potential for civil or legal liability B. Questioning trust in vendor relationships C. Increasing the risk of decisions based on incomplete management information D. Direct involvement of senior management in developing control processes
Answer: A Explanation: Information security governance decreases the risk of civil or legal liability. The remaining answers are incorrect. Option D appears to be correct, but senior management would provide oversight and approval as opposed to direct involvement in developing control processes.
Information security managers should use risk assessment techniques to: A. justify selection of risk mitigation strategies. B. maximize the return on investment (ROD. C. provide documentation for auditors and regulators. D. quantify risks that would otherwise be subjective.
Answer: A Explanation: Information security managers should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible. None of the other choices accomplishes that task, although they are important components.
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: A. it implies compliance risks. B. short-term impact cannot be determined. C. it violates industry security practices. D. changes in the roles matrix cannot be detected.
Answer: A Explanation: Monitoring processes are also required to guarantee fulfillment of laws and regulations of the organization and, therefore, the information security manager will be obligated to comply with the law. Choices B and C are evaluated as part of the operational risk. Choice D is unlikely to be as critical a breach of regulatory legislation. The acceptance of operational risks overrides choices B, C and D.
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST: A. interview senior management B. conduct a risk assessment C. conduct a cost-benefit analysis D. perform a gap analysis
Answer: D
An information security manager must understand the relationship between information security and business operations in order to: A. support organizational objectives. B. determine likely areas of noncompliance. C. assess the possible impacts of compromise. D. understand the threats to the business.
Answer: A Explanation: Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.
The systems administrator did not immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: A. periodically testing the incident response plans. B. regularly testing the intrusion detection system (IDS). C. establishing mandatory training of all personnel. D. periodically reviewing incident response procedures.
Answer: A Explanation: Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system (IDS) is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
The MOST useful way to describe the objectives in the information security strategy is through: A. attributes and characteristics of the 'desired state." B. overall control objectives of the security program. C. mapping the IT systems to key business processes. D. calculation of annual loss expectations.
Answer: A Explanation: Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.
Which of the following is the BEST reason to perform a business impact analysis (BIA)? A. To help determine the current state of risk B. To budget appropriately for needed controls C. To satisfy regulatory requirements D. To analyze the effect on the business
Answer: A Explanation: The BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis. Budgeting appropriately may come as a result, but is not the reason to perform the analysis. Performing an analysis may satisfy regulatory requirements, bill is not the reason to perform one. Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response.
QUESTION NO: 4 Which of the following would BEST ensure the success of information security governance within an organization? A. Steering committees approve security projects B. Security policy training provided to all managers C. Security training available to all employees on the intranet D. Steering committees enforce compliance with laws and regulations
Answer: A Explanation: The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.
Which of the following would be the BEST option to improve accountability for a system administrator who has security functions? A. Include security responsibilities in the job description B. Require the administrator to obtain security certification C. Train the system administrator on penetration testing and vulnerability assessment D. Train the system administrator on risk assessment
Answer: A Explanation: The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.
When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider? A. Preserving the confidentiality of sensitive data B. Establishing international security standards for data sharing C. Adhering to corporate privacy standards D. Establishing system manager responsibility for information security
Answer: A Explanation: The goal of information security is to protect the organization's information assets. International security standards are situational, depending upon the company and its business. Adhering to corporate privacy standards is important, but those standards must be appropriate and adequate and are not the most important factor to consider. All employees are responsible for information security, but it is not the most important factor to consider.
An information security manager's PRIMARY objective for presenting key risks to the board of directors is to: A. meet information security compliance requirements. B. ensure appropriate information security governance. C. quantity reputational risks. D. re-evaluate the risk appetite.
Answer: B
An organization has detected potential risk emerging from noncompliance with new regulations in its industry. Which of the following is the MOST important reason to report this situation to senior management? A. The risk profile needs to be updated. B. An external review of the risk needs to be conducted. C. Specific monitoring controls need to be implemented. D. A benchmark analysis needs to be performed.
Answer: B
Business units within an organization are resistant to proposed changes to the information security program. Which of the following is the BEST way to address this issue? A. Implementing additional security awareness training B. Communicating critical risk assessment results to business unit managers C. Including business unit representation on the security steering committee D. Publishing updated information security policies
Answer: B
Which of the following is MOST important to the successful implementation of an information security governance framework across the organization? A. Organizational security controls deployed in line with regulations B. Security management processes aligned with security objectives C. Isaca CISM Exam "Leading the way in IT Testing & Certification Tools" - www.test-king.com 117 The existing organizational security culture D. Security policies that adhere to industry best practices
Answer: B
Which of the following is the BEST way to facilitate the alignment between an organization's information security program and business objectives? A. Information security is considered at the feasibility stage of all IT projects. B. The information security governance committee includes representation from key business areas. C. The chief executive officer reviews and approves the information security program. D. The information security program is audited by the internal audit department.
Answer: B
Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework? A. Integrating security requirements with processes B. Performing security assessments and gap analysis C. Conducting a business impact analysis (BIA) D. Conducting information security awareness training
Answer: B
Which of the following is the MOST important reason for an organization to develop an information security governance program? A. Establishment of accountability B. Compliance with audit requirements C. Monitoring of security incidents D. Creation of tactical solutions
Answer: B
Which of the following should be the FIRST step to ensure an information security program meets the requirements of new regulations? A. Validate the asset classification schema. B. Integrate compliance into the risk management process. C. Assess organizational security controls. D. Conduct a gap analysis to determine necessary changes.
Answer: B
Which of the following should be the PRIMARY expectation of management when an organization introduces an information security governance framework? A. Optimized information security resources B. Consistent execution of information security strategy C. Improved accountability to shareholders D. Increased influence of security management
Answer: B
Which of the following is the MOST usable deliverable of an information security risk analysis? A. Business impact analysis (BIA) report B. List of action items to mitigate risk C. Assignment of risks to process owners D. Quantification of organizational risk
Answer: B Explanation: Although all of these are important, the list of action items is used to reduce or transfer the current level of risk. The other options materially contribute to the way the actions are implemented.
Who should drive the risk analysis for an organization? A. Senior management B. Security manager C. Quality manager D. Legal department
Answer: B Explanation: Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: A. corporate data privacy policy. B. data privacy policy where data are collected. C. data privacy policy of the headquarters' country. D. data privacy directive applicable globally.
Answer: B Explanation: As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas? A. Platform security B. Entitlement changes C. Intrusion detection D. Antivirus controls
Answer: B Explanation: Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager.
The FIRST step in developing an information security management program is to: A. identify business risks that affect the organization. B. clarify organizational purpose for creating the program. C. assign responsibility for the program. D. assess adequacy of controls to mitigate business risks.
Answer: B Explanation: In developing an information security management program, the first step is to clarify the organization's purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? A. Ethics B. Proportionality C. Integration D. Accountability
Answer: B Explanation: Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.
Information security should be: A. focused on eliminating all risks. B. a balance between technical and business requirements. C. driven by regulatory requirements. D. defined by the board of directors.
Answer: B Explanation: Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)? A. Knowledge of information technology platforms, networks and development methodologies B. Ability to understand and map organizational needs to security technologies C. Knowledge of the regulatory environment and project management techniques D. Ability to manage a diverse group of individuals and resources across an organization
Answer: B Explanation: Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices are important but secondary to meeting business security needs.
Which of the following is the BEST advantage of a centralized information security organizational structure? A. It allows for a common level of assurance across the enterprise. B. It is easier to manage and control business unit security teams. C. It is more responsive to business unit needs. D. It provides a faster turnaround for security waiver requests.
Answer: B Explanation: It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
Which of the following is the BEST advantage of a centralized information security organizational structure? A. It allows for a common level of assurance across the enterprise. B. It is easier to manage and control business unit security teams. C. It is more responsive to business unit needs. D. It provides a faster turnaround for security waiver requests.
Answer: B Explanation: It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should: A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. B. establish baseline standards for all locations and add supplemental standards as required. C. bring all locations into conformity with a generally accepted set of industry best practices. D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
Answer: B Explanation: It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approach—forcing all locations to be in compliance with the regulations places an undue burden on those locations.
Which of the following would help to change an organization's security culture? A. Develop procedures to enforce the information security policy B. Obtain strong management support C. Implement strict technical security controls D. Periodically audit compliance with the information security policy
Answer: B Explanation: Management support and pressure will help to change an organization's culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? A. Security metrics reports B. Risk assessment reports C. Business impact analysis (BIA) D. Return on security investment report
Answer: B Explanation: Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
Which of the following should be the FIRST step in developing an information security plan? A. Perform a technical vulnerabilities assessment B. Analyze the current business strategy C. Perform a business impact analysis D. Assess the current levels of security awareness
Answer: B Explanation: Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.
QUESTION NO: 8 Retention of business records should PRIMARILY be based on: A. business strategy and direction. B. regulatory and legal requirements. C. storage capacity and longevity. D. business ease and value analysis.
Answer: B Explanation: Retention of business records is generally driven by legal and regulatory requirements. Business strategy and direction would not normally apply nor would they override legal and regulatory requirements. Storage capacity and longevity are important but secondary issues. Business case and value analysis would be secondary to complying with legal and regulatory requirements.
Who is responsible for ensuring that information is categorized and that specific protective measures are taken? A. The security officer B. Senior management C. The end user D. The custodian
Answer: B Explanation: Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented? A. Senior management B. Business manager C. IT audit manager D. Information security officer (ISO) Answer: B
Answer: B Explanation: The business manager will be in the best position, based on the risk assessment and mitigation proposals. to decide which controls should/could be implemented, in line with the business strategy and with budget. Senior management will have to ensure that the business manager has a clear understanding of the risk assessed but in no case will be in a position to decide on specific controls. The IT audit manager will take part in the process to identify threats and vulnerabilities, and to make recommendations for mitigations. The information security officer (ISO) could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and full control over the budget and, therefore, will be in a better position to make strategic decisions.
Which of the following risks would BEST be assessed using quantitative risk assessment techniques? A. Customer data stolen B. An electrical power outage C. A web site defaced by hackers D. Loss of the software development team
Answer: B Explanation: The effect of the theft of customer data or web site defacement by hackers could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques. Loss of a majority of the software development team could have similar unpredictable repercussions. However, the loss of electrical power for a short duration is more easily measurable and can be quantified into monetary amounts that can be assessed with quantitative techniques.
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications? A. Business continuity coordinator B. Chief operations officer (COO) C. Information security manager D. Internal audit
Answer: B Explanation: The recovery point objective (RPO) is the processing checkpoint to which systems are recovered. In addition to data owners, the chief operations officer (COO) is the most knowledgeable person to make this decision. It would be inappropriate for the information security manager or an internal audit to determine the RPO because they are not directly responsible for the data or the operation.
Which of the following would BEST help an information security manager prioritize remediation activities to meet regulatory requirements? A. A capability maturity model matrix B. Annual loss expectancy (ALE) of noncompliance C. Cost of associated controls D. Alignment with the IT strategy
Answer: D
After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan? A. Risk heat map B. Recent audit results C. Balanced scorecard D. Gap analysis
Answer: C
Internal audit has reported a number of information security issues which are not in compliance with regulatory requirements. What should the information security manager do FIRST? A. Create a security exception B. Perform a vulnerability assessment C. Perform a gap analysis to determine needed resources D. Assess the risk to business operations
Answer: C
What should be an information security manager's FIRST course of action when an organization is subject to a new regulatory requirement? A. Perform a gap analysis B. Complete a control assessment C. Submit a business case to support compliance D. Update the risk register
Answer: C
When developing an information security governance framework, which of the following would be the MAIN impact when lacking senior management involvement? A. Accountability for risk treatment is not clearly defined. B. Information security responsibilities are not communicated effectively. C. Resource requirements are not adequately considered. D. Information security plans do not support business requirements
Answer: C
When supporting a large corporation's board of directors in the development of governance, which of the following is the PRIMARY function of the information security manager? A. Gaining commitment of senior management B. Preparing the security budget C. Providing advice and guidance D. Developing a balanced scorecard
Answer: C
Which of the following is a PRIMARY responsibility of an information security governance committee? A. Analyzing information security policy compliance reviews B. Approving the purchase of information security technologies C. Reviewing the information security strategy D. Approving the information security awareness training strategy
Answer: C
Which of the following is the BEST approach for an information security manager when developing new information security policies? A. Create a stakeholder map. B. Reference an industry standard. C. Establish an information security governance committee. D. Download a policy template.
Answer: C
Which of the following is the BEST way to align security and business strategies? A. Include security risk as part of corporate risk management. B. Develop a balanced scorecard for security. C. Establish key performance indicators (KPIs) for business through security processes. D. Integrate information security governance into corporate governance.
Answer: C
Which of the following is the BEST way to integrate information security into corporate governance? A. Engage external security consultants in security initiatives. B. Conduct comprehensive information security management training for key stakeholders. C. Ensure information security processes are part of the existing management processes. D. Require periodic security risk assessments be performed.
Answer: C
Which of the following is the MOST important requirement for the successful implementation of security governance? A. Implementing a security balanced scorecard B. Performing an enterprise-wide risk assessment C. Mapping to organizational strategies D. Aligning to an international security framework
Answer: C
Which of the following is MOST essential for a risk management program to be effective? A. Flexible security budget B. Sound risk baseline C. New risks detection D. Accurate risk reporting
Answer: C Explanation: All of these procedures are essential for implementing risk management. However, without identifying new risks, other procedures will only be useful for a limited period.
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? A. More uniformity in quality of service B. Better adherence to policies C. Better alignment to business unit needs D. More savings in total operating costs
Answer: C Explanation: Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.
Senior management commitment and support for information security can BEST be enhanced through: A. a formal security policy sponsored by the chief executive officer (CEO). B. regular security awareness training for employees. C. periodic review of alignment with business management goals. D. senior management signoff on the information security strategy
Answer: C Explanation: Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the: A. threat. B. loss. C. vulnerability. D. probability.
Answer: C Explanation: Implementing more restrictive preventive controls mitigates vulnerabilities but not the threats. Losses and probability of occurrence may not be primarily or directly affected.
An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next? A. Direct information security on what they need to do Isaca CISM Exam "Leading the way in IT Testing & Certification Tools" - www.test-king.com 85 B. Research solutions to determine the proper solutions C. Require management to report on compliance D. Nothing; information security does not report to the board
Answer: C Explanation: Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.
Information security policy enforcement is the responsibility of the: A. security steering committee. B. chief information officer (CIO). C. chief information security officer (CISO). D. chief compliance officer (CCO).
Answer: C Explanation: Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.
Which of the following are seldom changed in response to technological changes? A. Standards B. Procedures C. Policies D. Guidelines
Answer: C Explanation: Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes.
The PRIMARY goal of a corporate risk management program is to ensure that an organization's: A. IT assets in key business functions are protected. B. business risks are addressed by preventive controls. C. stated objectives are achievable. D. IT facilities and systems are always available.
Answer: C Explanation: Risk management's primary goal is to ensure an organization maintains the ability to achieve its objectives. Protecting IT assets is one possible goal as well as ensuring infrastructure and systems availability. However, these should be put in the perspective of achieving an organization's objectives. Preventive controls are not always possible or necessary; risk management will address issues with an appropriate mix of preventive and corrective controls.
Relationships among security technologies are BEST defined through which of the following? A. Security metrics B. Network topology C. Security architecture D. Process improvement models
Answer: C Explanation: Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.
Which of the following is responsible for legal and regulatory liability? A. Chief security officer (CSO) B. Chief legal counsel (CLC) C. Board and senior management D. Information security steering group
Answer: C Explanation: The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Who is ultimately responsible for the organization's information? A. Data custodian B. Chief information security officer (CISO) C. Board of directors D. Chief information officer (CIO)
Answer: C Explanation: The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? A. Risk assessment report B. Technical evaluation report C. Business case D. Budgetary requirements
Answer: C Explanation: The information security manager needs to prioritize the controls based on risk management and the requirements of the organization. The information security manager must look at the costs of the various controls and compare them against the benefit the organization will receive from the security solution. The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits of the various controls. All other choices are supplemental.
The MOST important factor in ensuring the success of an information security program is effective: A. communication of information security requirements to all users in the organization. B. formulation of policies and procedures for information security. C. alignment with organizational goals and objectives. D. monitoring compliance with information security policies and procedures.
Answer: C Explanation: The success of security programs is dependent upon alignment with organizational goals and objectives. Communication is a secondary step. Effective communication and education of users is a critical determinant of success but alignment with organizational goals and objectives is the most important factor for success. Mere formulation of policies without effective communication to users will not ensure success. Monitoring compliance with information security policies and procedures can be, at best, a detective mechanism that will not lead to success in the midst of uninformed users.
Which of the following would be MOST effective in successfully implementing restrictive password policies? A. Regular password audits B. Single sign-on system C. Security awareness program D. Penalties for noncompliance
Answer: C Explanation: To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.
A security manager meeting the requirements for the international flow of personal data will need to ensure: A. a data processing agreement. B. a data protection registration. C. the agreement of the data subjects. D. subject access procedures.
Answer: C Explanation: Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
What is the MOST important factor in the successful implementation of an enterprise wide information security program? A. Realistic budget estimates B. Security awareness C. Support of senior management D. Recalculation of the work factor
Answer: C Explanation: Without the support of senior management, an information security program has little chance of survival. A company's leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.
Which of the following is the MOST essential task for a chief information security officer (CISO) to perform? A. Update platform-level security settings B. Conduct disaster recovery test exercises C. Approve access to critical financial systems D. Develop an information security strategy paper
Answer: D Explanation: Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.
An organization enacted several information security policies to satisfy regulatory requirements. Which of the following situations would MOST likely increase the probability of noncompliance to these requirements? A. Inadequate buy-in from system owners to support the policies B. Availability of security policy documents on a public website C. Lack of training for end users on security policies D. Lack of an information security governance framework
Answer: D
In information security governance, the PRIMARY role of the board of directors is to ensure: A. approval of relevant policies and standards. B. communication of security posture to stakeholders. C. compliance with regulations and best practices. D. alignment with the strategic goals of the organization.
Answer: D
Security governance is MOST associated with which of the following IT infrastructure components? A. Network B. Application C. Platform D. Process
Answer: D
Senior management commitment and support will MOST likely be offered when the value of information security governance is presented from a: A. threat perspective. B. compliance perspective. C. risk perspective. D. policy perspective.
Answer: D
The PRIMARY purpose of implementing information security governance metrics is to: A. measure alignment with best practices. B. assess operational and program metrics. C. refine control operations, D. guide security towards the desired state.
Answer: D
The effectiveness of an information security governance framework will BEST be enhanced if: A. IS auditors are empowered to evaluate governance activities. B. risk management is built into operational and strategic activities. C. a culture of legal and regulatory compliance is promoted by management. D. consultants review the information security governance framework.
Answer: D
At what stage of the applications development process should the security department initially become involved? A. When requested B. At testing C. At programming D. At detail requirements
Answer: D Explanation: Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.
The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should: A. ensure the provider is made liable for losses. B. recommend not renewing the contract upon expiration. C. recommend the immediate termination of the contract. D. determine the current level of security.
Answer: D Explanation: It is important to ensure that adequate levels of protection are written into service level agreements (SLAs) and other outsourcing contracts. Information must be obtained from providers to determine how that outsource provider is securing information assets prior to making any recommendation or taking any action in order to support management decision making. Choice A is not acceptable in most situations and therefore not a good answer.
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: A. storage capacity and shelf life. B. regulatory and legal requirements. C. business strategy and direction. D. application systems and media.
Answer: D Explanation: Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues.
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification? A. Alignment with industry best practices B. Business continuity investment C. Business benefits D. Regulatory compliance
Answer: D Explanation: Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitytive business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
The security responsibility of data custodians in an organization will include: A. assuming overall protection of information assets. B. determining data classification levels. C. implementing security controls in products they install. D. ensuring security measures are consistent with policy.
Answer: D Explanation: Security responsibilities of data custodians within an organization include ensuring that appropriate security measures are maintained and are consistent with organizational policy. Executive management holds overall responsibility for protection of the information assets. Data owners determine data classification levels for information assets so that appropriate levels of controls can be provided to meet the requirements relating to confidentiality, integrity and availability. Implementation of information security in products is the responsibility of the IT developers.
Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives.
Answer: D Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
Which of the following would be the MOST important goal of an information security governance program? A. Review of internal control mechanisms B. Effective involvement in business decision making C. Total elimination of risk factors D. Ensuring trust in data
Answer: D Explanation: The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
The PRIMARY objective of a risk management program is to: A. minimize inherent risk. B. eliminate business risk. C. implement effective controls. D. minimize residual risk.
Answer: D Explanation: The goal of a risk management program is to ensure that residual risk remains within manageable levels. Management of risk does not always require the removal of inherent risk nor is this always possible. A possible benefit of good risk management is to reduce insurance premiums, but this is not its primary intention. Effective controls are naturally a clear objective of a risk management program, but with the choices given, choice C is an incomplete answer.
Which of the following situations would MOST inhibit the effective implementation of security governance? A. The complexity of technology B. Budgetary constraints C. Conflicting business priorities D. High-level sponsorship
Answer: D Explanation: The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance. Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.
What is the MAIN risk when there is no user management representation on the Information Security Steering Committee? A. Functional requirements are not adequately considered. B. User training programs may be inadequate. C. Budgets allocated to business units are not appropriate. D. Information security plans are not aligned with business requirements
Answer: D Explanation: The steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units.
From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities? A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability
Answer: D Explanation: Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.