CISM_CH2A
Which of the following is considered the most significant key risk indicator? A. Abnormal deviations from normal employee attrition rates B. High counts of virus quarantined by anti-virus software C. High counts of packets filtered by a firewall D. Low numbers of information security officers on the staff
Answer: A. Abnormal deviations from normal employee attrition rates Explanation: A sudden increase in employee attrition rates can indicate suspicious activity that requires the attention of the security manager. For example, if a large number of developers are leaving the organization, it may indicate that a competitor is trying to obtain the organization's development plan. High counts of virus and filtered packets may indicate a change in the threat environment, but there is no direct impact as these are controlled through the use of antivirus software or firewalls. A low number of security officers on the staff does not necessarily indicate a risk.
Immediately after implementing access control for the internet, employees started complaining of being unable to perform business functions on internet sites. This is an example of which of the following? A. Conflict between security controls and business requirements B. Stringent security controls C. Mandatory access controls D. Discretionary access controls
Answer: A. Conflict between security controls and business requirements Explanation: This is an example of a conflict between security controls and business requirements where the security controls are not supporting business needs. These controls should not restrict the ability of users to perform their jobs.
The most critical factor for designing an information security strategy is which of the following? A. Defined objectives B. Defined time frame c. Defined framework D. Defined policies
Answer: A. Defined objectives Explanation: Defined objectives are the most important element, as without objectives, a strategy to achieve the objectives cannot be developed. Policies are developed after the development of the strategy. The time frame and framework are not as important as defined objectives.
The most important role for a CISO is which of the following? A. Design and develop an information security strategy. B. Conduct business continuity planning (BCP) testing. C. Approve system accesses. D. Deploy patch releases.
Answer: A. Design and develop an information security strategy. Explanation: The CISO is primarily responsible for designing and developing the information security strategy. The other functions listed here are normally carried out by IT and operational staff.
Commitment and support from senior management with respect to information security can be best addressed by which of the following? A. Emphasizing the organizational risk B. Emphasizing the requirements of global security standards c. Emphasizing the industry benchmarks D. Emphasizing the responsibility of the organization
Answer: A. Emphasizing the organizational risk Explanation: Emphasizing organizational risk and its impact on the business objectives is the best way to gain commitment and support from senior management. The other options here are secondary factors.
The objective of the information security strategy can be best described as which of the following? A. Requirements of the desired state B. Attributes of the current state C. Key business process D. Control objective for loss expectations
Answer: A. Requirements of the desired state Explanation: The objective of the security strategy can be best described as what is required to achieve the desired state. It is not restricted to only key processes or loss expectations.
What is the main objective of the information security strategy? A. To determine the security goals and plan to achieve them B. To determine the configuration of the security controls C. To determine the acceptable usage of information assets D. To determine the budget of the information security program
Answer: A. To determine the security goals and plan to achieve them Explanation: The main objective of the strategy is to set out the goals of the information security program and create a plan to achieve those goals. The budget is linked to the security objectives. A strategy is a high-level management intent and does not generally include the implementation aspects mentioned in options B and C.
The prime objective of developing an information security strategy is which of the following? A. To manage the risk impacting business objectives B. To mitigate the risk level to zero C. To transfer risk to insurers D. To develop a risk-aware culture
Answer: A. To manage the risk impacting business objectives Explanation: The prime objective of the security strategy is to manage and reduce the risk impacting the business objectives. It is not feasible to mitigate risk levels to zero. The transfer of risk and the development of a risk-aware culture are other aspects of managing risk.
The most important factor for the development of a security strategy is which of the following? A. To understand the key business objectives B. To provide training to the information security team C. To provide sufficient resources for information security D. To develop a risk-aware culture
Answer: A. To understand the key business objectives Explanation: Understanding the key business objectives is the most critical factor to align the security strategy with the business strategy. The security strategy should support the business objectives. The other options are secondary factors.
The information security manager is considered to have achieved value delivery at which of the following points? A. When resource utilization is high B. When budget requirements are low C. When the lowest cost vendors have been appointed D. When staff costs are reduced
Answer: A. When resource utilization is high Explanation: Value delivery means designing a process that gives the maximum benefit to the organization. It suggests a high utilization of available resources for the benefit of the organization. The other options by themselves do not indicate value delivery.
While developing the security strategy, the security manager should be most concerned about which of the following? A. Whether the strategy supports the business objective B. Whether the strategy ensures the optimum utilization of available resources c. Whether the strategy ensures compliance with regulatory requirements D. Whether the strategy minimizes the budget requirements
Answer: A. Whether the strategy supports the business objective Explanation: The most important objective of the security strategy is to support the business requirements and goals. The strategy should support the business objective. The other options are secondary objectives.
The most important factor for developing risk management strategies is which of the following? A. Industry-adopted risk assessment framework B. Business objectives and risk appetite C. Technology architecture D. Geographical spread of business units
Answer: B. Business objectives and risk appetite Explanation: The risk management strategy should support and be aligned with the business objectives and risk appetite of the organization. The other options are not as significant as the business objectives and risk appetite.
The primary reason for the board of directors to be involved in information security initiatives is which of the following? A. Concerns regarding IT architecture B. Concerns regarding the organization's liability C. Concerns regarding compliance D. Concerns regarding the implementation of policy
Answer: B. Concerns regarding the organization's liability Explanation: The involvement of board members in information security initiatives indicates good governance. Directors can be protected from liability if the board has exercised due diligence. Many laws and regulations make the board responsible in the event of data breaches. Even cyber security insurance policies require the board to exercise due diligence as a prerequisite for insurance coverage. The board is not required to involve themselves in routine compliance and policy implementation processes.
The most important result of an information security strategy is which of the following? A. Mature policies and procedures B. Ensuring that residual risk is within an acceptable level C. Mature vulnerability assessment procedures D. Alignment of controls to international standards
Answer: B. Ensuring that residual risk is within an acceptable level Explanation: Residual risk is the risk that remains after the controls are implemented. One of the objectives of a security strategy is to ensure that residual risks are well within an acceptable limit. This gives comfort to management. The other options are not as significant as keeping residual risk within an acceptable level.
The most important factor to be included in an information security strategy is which of the following? A. Details of key business controls B. Security objective and process C. Budget for a specific security tool D. Details of network security control
Answer: B. Security objective and process Explanation: The security strategy consists of desired security objectives supported by processes, methods, and relevant tools and techniques. The other options here are not as significant as security objectives and process.
Accountability for information categorization and protective measures reside with which of the following? A. Security administrator B. Senior management C. System administrator D. End user
Answer: B. Senior management Explanation: Overall accountability resides with senior management though they may delegate responsibility to different functions. The security administrator and system administrator support the security objectives of senior management.
"Systems thinking" in reference to information security indicates which of the following? A. The perspective of artificial intelligence B. The perspective of the whole being greater than the sum of its individual parts C. The perspective of supporting the business objective D. The perspective of governing the entire organization
Answer: B. The perspective of the whole being greater than the sum of its individual parts Explanation: "Systems thinking" in reference to information security indicates the perspective that the system is greater than the sum of its individual parts.
The best way to prepare for a regulatory audit is which of the following? A. To nominate a security administrator as the regulatory liaison B. To conduct self-assessments using regulatory guidelines and reports C. To discuss previous years' regulatory reports with the process owner D. To ensure all regulatory inquiries are approved by the legal department
Answer: B. To conduct self-assessment using regulatory guidelines and reports Explanation: Self-assessment is the best way to determine the readiness of, and then remediate, non-compliant items. This will help the organization to prepare for regulatory review. The other options are not as effective as option B.
The best method to develop an effective data protection strategy is which of the following? A. To conduct a vulnerability assessment B. To design a tailored methodology based on exposure C. To obtain an insurance policy for data losses D. To implement industry best practices
Answer: B. To design a tailored methodology based on exposure Explanation: The classification of data in accordance with its value and exposure, followed by the development of a strategy for each class, is the best method to create an effective data protection strategy. This will address the risk of under as well as overprotection of the data. Vulnerability assessments do not consider threats and other factors that impact the risk treatment. Insurance policies and industry practices may be considered based on risk and classification of data.
1. The first step in developing an information security plan is which of the following? A. To conduct a vulnerability assessment B. To evaluate the current business strategy C. To perform an information system audit D. To evaluate the risk culture of the organization
Answer: B. To evaluate the current business strategy Explanation: The first step for an information security manager is to understand and evaluate the current strategy. This is essential to align the information security plan with the business strategy. The other options here are subsequent steps.
The main objective of designing an information security strategy is which of the following? A. To monitor performance B. To support the business objectives C. To enhance the responsibility of the security manager D. To comply with legal requirements
Answer: B. To support the business objectives Explanation: The prime objective of any security strategy is to support the business objective. The information security strategy should be aligned with business objectives. The other options are secondary objectives.
The most important objective of the information security strategy is which of the following? A. To minimize the risk to an acceptable level B. To support the business objectives and goals of the enterprise C. To ensure the optimum utilization of security resources D. To maximize the return on security investments
Answer: B. To support the business objectives and goals of the enterprise Explanation: The most important objective of the information security strategy is that it should support the objective of the organization. The other options are secondary objectives.
Which of the following is considered to have the most important strategic value? A. Privileged access management processes B. Trends in incident occurrence C. System downtime analysis D. Results of penetration tests
Answer: B. Trends in incident occurrence Explanation: Trends in incident occurrence are more valuable from the strategic perspective as they indicate whether the security program is heading in the right direction or not. The other options are more operational metrics.
Intangible assets should be best valued based on which of the following? A. Acquisition cost B. Replacement cost C. Ability to generate revenue D. Risk analysis
Answer: C. Ability to generate revenue Explanation: Valuation should be done based on the ability of the asset to generate revenue for the organization. In the absence of the availability of assets, the organization will lose much of that revenue acquisition, and the replacement cost of the asset may be more or less than its actual ability to generate revenue.
The most important aspect from the perspective of senior management in an information security strategy is which of the following? A. Details of technology B. Details of compliance requirements C. Business priorities D. Details of procedural aspects
Answer: C. Business priorities Explanation: Management will be more interested to understand how the security strategy is supporting the business objectives; whether their top-level goals and objectives are supported by security. The other options are not relevant at the strategic level.
Who is responsible for the enforcement of the information security policy? A. IS steering committee B. Chief Technical Officer (CTO) C. CISO D. Chief Compliance Officer
Answer: C. CISO Explanation: Generally, the CISO is responsible for enforcing the information security policy. The steering committee monitors the enforcement process but is not responsible for enforcement. The steering committee ensures that the security policy is aligned with business objectives. The CTO and Chief Compliance Officer may to some extent be involved in the enforcement of the policy, but are not directly responsible for it.
Which of the following is the main reason for a change in policy? A. Changes in regulation B. Changes in the security baseline C. Changes in management intent and direction D. Changes in organization culture
Answer: C. Changes in management intent and direction Explanation: The policy reflects the intent and direction of management. Any changes in management intent should also be appropriately addressed in the policy. Changes in regulation and the security baseline should be addressed in procedures, guidelines, and standards. Changes in culture may or may not impact the policy, however the management intent is more significant here.
The security baseline of a mature organization is most likely defined as which of the following? A. Availability of policies B. Availability of IT architecture C. Control objectives being met D. Adherence to regulatory requirements
Answer: C. Control objectives being met Explanation: A baseline is a basic standard with which to comply. In a mature organization, it is expected that control objectives of security should be met. The other options may be part of the control objectives, but whatever the objectives defined, they should be met in a mature organization.
The most important factor in the development of an information security strategy is which of the following? A. IT architecture B. Governance framework C. Current state of security and future objectives D. Support from senior management
Answer: C. Current state of security and future objectives Explanation: It is very important to understand the current state of security and the desired future state or objective. In the absence of clearly defined objectives, it will not be possible to develop the strategy. The other options are important but not as significant as the other objectives.
The most important consideration while developing an information security strategy is which of the following? A. Availability of information security resources B. Adherence to laws and regulations C. Effectiveness in mitigating risk D. Budget allocation for information security
Answer: C. Effectiveness in mitigating risk Explanation: The most important factor is the effectiveness of the information security strategy to address the risk impacting the business objectives. The other options are secondary factors. Even a considerable budget will be meaningless if the security strategy is not effective in mitigating the risk.
The information security manager has been asked to implement a particular security standard. Which of the following is most effective to monitor this? A. Key success factor B. Key objective indicator C. Key performance indicator D. Key goal indicator
Answer: C. Key performance indicator Explanation: A key performance indicator is a measure to determine how well a process is performing compared to expectations. Key success factors determine the most important aspects or issues in achieving a goal. The key objective indicator and key goal indicator define the objective set by the organization.
The best way to align the security goals with the business goals is which of the following? A. Functional goals should support security goals. B. Business goals and security goals should support each other. C. Security goals should be derived from business goals. D. Business goals and security goals should be independent of each other.
Answer: C. Security goals should be derived from business goals. Explanation: Security goals should be developed based on overall business objectives. The security strategy should support the business goals and objectives.
A road map for information security implementation is primarily based on which of the following? A. IT architecture B. IT policy C. Security strategy D. Regulatory requirements
Answer: C. Security strategy Explanation: The security strategy is the guiding force for the implementation of the security program. The road map detailing the security implementation (that is, procedure, resources, timelines, and so on) is developed based on the strategy. The other options may be input factors for designing the strategy. However, once the strategy has been developed, it is considered as the overall guiding principles for the implementation of the security program.
Which of the following should be the first action while developing an information security strategy? A. To identify the assets B. To perform a risk analysis C. To define the scope of the strategy program D. To determine critical business processes
Answer: C. To define the scope of the strategy program. Explanation: The first step should be to define the scope of the strategy program. The other options are subsequent steps to be performed.
An information security manager is asked to develop a cost-effective information security strategy. What is the most important step? A. To identity information assets B. To conduct a valuation of information assets C. To determine the objective of the security strategy D. To classify assets as per risk assessment
Answer: C. To determine the objective of the security strategy Explanation: Determining the objectives of the security strategy is a must before any other steps are taken as all other steps are developed on the basis of the security strategy. The other options are important but not as significant as determining the objective of the security strategy.
The best way to address the conflicting requirements of a multinational organization's security policy with local regulations is which of the following? A. To give priority to policy requirements over local laws B. To follow local laws only C. To establish a local version of the organization's policy D. To discontinue service in conflicting jurisdictions
Answer: C. To establish a local version of the organization's policy Explanation: The best way in such a situation is to establish a local version of the policy that is aligned with local laws and regulations. The other options are not sensible.
Which of the following is the best approach for an information security manager when there is a disagreement between them and the business manager on security aspects of a new process? A. To accept the decision of the business manager as they are the owner of the process B. To mandate the decision of the security manager C. To review the risk assessment with senior management for final consideration D. To prepare a new risk assessment to address the disagreement
Answer: C. To review the risk assessment with senior management for final consideration Explanation: Senior management will be in the best position to evaluate the impact of risks on business requirements. They will be able to make any trade-offs required between security and business processes. The other options will not address the issue.
The timeline for the implementation of information security strategic plan should be which of the following? A. In accordance with the IT strategic plan B. In accordance with changes in technology C. One to five years D. Aligned with the business strategy
Answer: D. Aligned with the business strategy Explanation: The timeline for the information security strategic plan should be designed in accordance and aligned with the business strategy. The other options here should be secondary considerations. The business strategy and requirements should be the primary consideration.
The most important factor to be included in the information security strategic plan is which of the following? A. Information security manpower requirements B. Information security tools and technique requirements C. Information security mission statement D. Desired future state of information security
Answer: D. Desired future state of information security Explanation: The strategic plan should include the desired state of information security. This is the most important factor. The desired state will impact options A and B. The mission statement is a high-level statement that may not indicate the detailed desired state for information security.
Which of the following is the area of most concern for a security manager of an organization that operates in multiple countries? A. Difficulty in implementing a standardized security program B. Difficulty in monitoring the security posture over wide geographical distance C. Difficulty in developing customized security awareness programs D. Difficulty in monitoring compliance with laws and regulations
Answer: D. Difficulty in monitoring compliance with laws and regulations Explanation: The area of most concern is compliance with laws and regulations. Security managers need to ensure that appropriate care is taken to meet local laws. Local laws vary from country to country and sometimes may conflict with the global security requirements of the organization. Non-compliance with laws and regulations may have major impacts on business processes. The other options are not as significant as monitoring compliance with laws and regulations.
The connection between business objectives and security should be demonstrated by which of the following? A. Indirect linkages B. Mapping to standardized controls C. Interconnected constraints D. Direct traceability
Answer: D. Direct traceability Explanation: Direct traceability is the best way to ensure that business and security objectives are connected and that security is adding value to the business objectives. The other options are not as good as traceable connections.
The best indicator to determine the level of alignment of the security objectives with the business objectives is which of the following? A. Interview with security manager B. Review of the capability maturity model C. Review of the risk assessment report D. Review of the business' balanced scorecard
Answer: D. Review of the business' balanced scorecard Explanation: A review of the business' balanced scorecard will help to determine the alignment of security goals with business goals. The balanced scorecard contains important metrics from the business perspective. The other options do not address the alignment of security and business goals directly.
In an information security steering committee, there is no representation from user management. Which of the following is the main risk as a result of this? A. Functional requirements may not be adequately addressed. B. Inadequate user training. C. Inadequate budget allocation. D. The information security strategy may not be aligned with business requirements.
Answer: D. The information security strategy may not be aligned with business requirements. Explanation: The information security steering committee monitors and controls the security strategy. In the absence of input from user management, the strategy may not support the business requirements. This is the major risk from the lack of user management representation. The other options are not as significant as the strategy not supporting the business requirements. User training and budget allocation are not normally under the purview of the steering committee.
The best indicator to determine the effectiveness of a security strategy is which of the following? A. The strategy helps to improve the risk appetite of the organization. B. The strategy helps to implement countermeasures for all the threats. C. The strategy helps to minimize the annual losses. D. The strategy helps to achieve the control objective.
Answer: D. The strategy helps to achieve the control objective. Explanation: Control objectives are developed to achieve an acceptable level of risk. The strategy is considered to be effective if the control objectives are met. The other options may be part of the control objectives, but effectiveness is best measured by evaluating the extent to which the overall control objectives are met.