CISM - Information Security Governance, Strategy, Objectives & Metrics

Ace your homework & exams now with Quizwiz!

D is the correct answer. Justification Updating platform-level security settings would typically be performed by lower-level personnel because this is a basic administrative task. Conducting recovery test exercises would typically be performed by operational personnel. Approving access would be the job of the data owner. Developing a strategy for information security would be the most appropriate task for the chief information security officer.

Which of the following is the MOST appropriate task for a chief information security officer to perform? Update platform-level security settings Conduct disaster recovery test exercises Approve access to critical financial systems Develop an information security strategy

D is the correct answer. Justification The board does not direct the security operations, which is delegated to executive management. The board would not research solutions but might direct executive management to do so. Taking no action would not be a responsible course of action. The board would typically direct executive management to assess the risk and report results.

An organization's board of directors is concerned about recent fraud attempts that originated over the Internet. What action should the board take to address this concern? Direct information security regarding specific resolutions that are needed to address the risk. Research solutions to determine appropriate actions for the organization. Take no action; information security does not report to the board. Direct management to assess the risk and to report the results to the board.

C is the correct answer. Justification The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer is responsible for security and carrying out senior management's directives. Responsibility for all organizational assets, including information, falls to the board of directors, which is tasked with responding to issues that affect the information's protection. The chief information officer is responsible for information technology within the organization but is not ultimately legally responsible for an organization's information.

Who is ultimately responsible for the organization's information? Data custodian Chief information security officer Board of directors Chief information officer

D is the correct answer. Justification Legal counsel is not in a position to determine what levels of business risk the organization is willing to assume. An acceptable level of risk in an organization is a business decision, not a security decision. External auditors can point out areas of risk but are not in a position to determine what levels of risk the organization is willing to assume. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume.

Acceptable levels of information security risk should be determined by: legal counsel. security management. external auditors. the steering committee.

A is the correct answer. Justification Governance, risk and compliance (GRC) is an effort to integrate assurance activities across an organization to achieve greater efficiency and effectiveness. It is unlikely that all three activities would not be covered by policies, but GRC may unify existing policies to reduce complexity and any differences that exist. GRC deals directly with sequence of security activities and all three may occur concurrently. GRC is about integration of these activities, not specific responsibilities of various groups.

The concept of governance, risk and compliance serves PRIMARILY to: align organization assurance functions. ensure that all three activities are addressed by policy. present the correct sequence of security activities. define the responsibilities of information security.

A is the correct answer. Justification The purpose of the strategy is to set out the goals of the information security program and the plan to achieve those objectives. A strategy is usually too high level to deal specifically with control configuration. Some elements of strategy may deal with required behaviors and actions, but it will not be a mandate, rather part of a process to achieve a particular objective. Strategy will not deal with authorizing specific actions.

The purpose of an information security strategy is to: express the goals of an information security program and the plan to achieve them. outline the intended configuration of information system security controls. mandate the behavior and acceptable actions of all information system users. authorize the steps and procedures necessary to protect critical information systems.

D is the correct answer. Justification Any planning for information security should be properly aligned with the needs of the business, not necessarily the IT strategic plan. Technology needs should not come before the needs of the business. Planning should not be done on an artificial timetable that ignores business needs. Any planning for information security should be properly aligned with the needs of the business.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: aligned with the IT strategic plan. based on the current rate of technological change. three to five years for both hardware and software. aligned with the business strategy.

C is the correct answer. Justification The availability of resources is a factor in developing and implementing the program but is not the main consideration. Legal and regulatory requirements must be considered in the strategy to the extent management determines the appropriate level of compliance. Effectively managing information risk to acceptable levels (in alignment with the business objectives) is the most important overall consideration of an information security strategy. The requirements for resources in implementing the strategy is a consideration but a secondary one.

Which of the following is the MOST important consideration when developing an information security strategy? Resources available to implement the program Compliance with legal and regulatory constraints Effectiveness of risk mitigation Resources required to implement the strategy

B is the correct answer. Justification The assessment criteria are not relevant to defining risk management strategies. The risk management strategy must be designed to achieve organizational objectives as well as provide adequate controls to limit risk to be consistent with the risk appetite. IT architecture complexity may pose a challenge to the risk assessment process but should not affect the risk management strategy directly. Disaster recovery plans are an element of the risk management strategy but are addressed by organizational objectives and risk appetite.

Which of the following should be understood before defining risk management strategies? Risk assessment criteria Organizational objectives and risk appetite IT architecture complexity Enterprise disaster recovery plans

B is the correct answer. Justification A guideline is a suggested action that is not mandatory. A policy is a principle that is used to set direction in an organization. It can be a course of action to steer and influence decisions. The wording of the policy must make the course of action mandatory and it must set the direction. A procedure is a particular way of accomplishing something. A standard sets the allowable boundaries for people, processes and technologies that must be met to meet the intent of the policy.

"Sensitive data must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure" is a statement that would MOST likely be found in a: guideline. policy. procedure. standard.

C is the correct answer. Justification The business manager is likely to be focused on getting the business done as opposed to the risk posed to the organization. The typical information security manager is focused on risk, and on average he/she will overestimate risk by about 100 percent—usually considering worst case scenarios rather than the most probable events. Executive management will be in the best position to consider the big picture and the trade-offs between security and functionality in the entire organization. There is no indication that the assessments are inadequate or defective in some way; therefore, repeating the exercise is not warranted.

A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will be responsible for evaluating the results and identified risk. Which of the following would be the BEST approach of the information security manager? Acceptance of the business manager's decision on the risk to the corporation Acceptance of the information security manager's decision on the risk to the corporation Review of the risk assessment with executive management for final input A new risk assessment and BIA are needed to resolve the disagreement

C is the correct answer. Justification A key goal indicator defines a clear objective sought by an organization. A key goal indicator is defined as a measure that tells management, after the fact, whether an IT process has achieved its business requirements; usually expressed in terms of information criteria. Critical success factors are steps that must be achieved to accomplish high-level goals. A critical success factor is defined as the most important issue or action for management to achieve control over and within its IT processes. A key performance indicator indicates how well a process is progressing according to expectations. Another definition for a key performance indicator is a measure that determines how well the process is performing in enabling the goal to be reached. A business impact analysis defines risk impact; its main purpose is not to achieve compliance. It is defined as an exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.

Achieving compliance with a particular information security standard selected by management would BEST be described as a: key goal indicator. critical success factor. key performance indicator. business impact analysis.

A is the correct answer. Justification The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection. A control that significantly restricts the ability of users to do their job is not appropriate. Proving protection abilities at an unacceptable cost or performance is a poor strategy. This does not prove the ability to protect, but proves the ability to interfere with business.

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of: conflicting security controls with organizational needs. strong protection of information resources. implementing appropriate controls to reduce risk. proving information security's protective abilities.

A is the correct answer. Justification Information security exists to address risk to the organization that may impede achieving its objectives. Organizational risk will be the most persuasive argument for management commitment and support. Establishing metrics to measure security status will be viewed favorably by senior management after the overall organizational risk is identified. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Identifying organizational responsibilities will be most effective if related directly to addressing organizational risk.

An information security manager can BEST attain senior management commitment and support by emphasizing: organizational risk. organizationwide metrics. security needs. the responsibilities of organizational units.

A is the correct answer. Justification Exploitation of a vulnerability is likely to generate security events. Absent a change in vulnerability, an increase in the number of threat actors targeting the organization would not explain an increase in security events. An increase in the number of security events that appear on reports suggests that detective controls are likely working properly. Exceptions approved by management may result in a higher number of security events on reports if notice of the exceptions is not provided to information security to allow updates to monitoring. However, exceptions are typically communicated to the information security manager, so this is an unlikely explanation for the increase.

An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is: exploitation of a vulnerability in the information system. threat actors targeting the organization in greater numbers. failure of a previously deployed detective control. approval of a new exception for non-compliance by management.

C is the correct answer. Justification The strategy is a forward-looking document that reflects awareness of technological baselines and developments in general, but specific technologies are typically addressed at lower levels based on the strategy. Mechanisms for compliance with legal and regulatory requirements are generally controls implemented at the tactical level based on direction from the strategy. Strategy is the high-level approach by which priorities and goals can be met. The information security strategy necessarily must incorporate the priorities of the business to be meaningful. Detailed procedures are inappropriate at the strategic level.

An information security strategy presented to senior management for approval MUST incorporate: specific technologies. compliance mechanisms. business priorities. detailed procedures.

C is the correct answer. Justification The scope of the program must be determined before asset identification can be performed. The scope of the program must be determined before a risk assessment can be performed. The scope of the program must be determined before any of the other steps can be performed. The scope of the program must be determined before a BIA can be performed.

An organization has consolidated global operations. The chief information officer (CIO) has asked the chief information security officer (CISO) to develop a new organization information security strategy. Which of the following actions should be taken FIRST? Identify the assets. Conduct a risk assessment. Define the scope. Perform a business impact analysis (BIA).

B is the correct answer. Justification Governance costs may or may not be reduced, but that is not the primary objective. The overarching objective of governance, risk and compliance (GRC) is improved risk management achieved by integrating these interrelated activities across the enterprise, primarily focused on finance, legal and IT domains. Convergence of security activities would be just one element of GRC. Achieving an appropriate level of regulatory compliance is likely to be one of the goals, but with the overall objective of more effective and efficient management of risk.

An organization has decided to implement governance, risk and compliance processes into several critical areas of the enterprise. Which of the following objectives is the MAIN one? To reduce governance costs To improve risk management To harmonize security activities To meet or maintain regulatory compliance

A is the correct answer. Justification Organizations must manage risk to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost-effective. Risk varies as business models and geography, regulatory and operational processes change. Insurance is generally used to protect against low-probability high-impact events and requires that the organization have certain operational controls to mitigate risk in place in addition to generally high deductibles. Therefore, transferring most risk is not cost-effective.

An organization's information security strategy should be based on: managing risk relative to business objectives. managing risk to a zero level and minimizing insurance premiums. avoiding occurrence of risks so that insurance is not required. transferring most risk to insurers and saving on control costs.

C is the correct answer. Justification Functional goals and security goals need to be aligned at the operational level, but neither is derived from the other. Security is not an end in itself, but it should serve the overall business goals. Security goals should be developed based on the overall business strategy. The business strategy is the most important steering mechanism for directing the business and is defined by the highest management level. If security goals are defined independently from business goals, the security function would not support the overall business strategy or it might even hinder the achievement of overall business objectives.

Business goals define the strategic direction of the organization. Functional goals define the tactical direction of a business function. Security goals define the security direction of the organization. What is the MOST important relationship between these concepts? Functional goals should be derived from security goals. Business goals should be derived from security goals. Security goals should be derived from business goals. Security and business goals should be defined independently from each other.

D is the correct answer. Justification Inferred connections to business objectives are not as good as traceable connections. Standardized controls may or may not be relevant to a particular business objective. Addressing and managing constraints alone is not as useful as also defining explicit benefits. The security strategy will be most useful if there is a direct traceable connection with business objectives.

Business objectives should be evident in the security strategy by: inferred connections. standardized controls. managed constraints. direct traceability.

D is the correct answer. Justification A statistical analysis of metrics can be helpful, but only if the underlying metrics are sound. Expert advice may be useful, but effective metrics are a better indication. Other organizations would typically only provide some guidance, but decisions should be based on effective metrics. Effective metrics are essential to provide information needed to make decisions. Metrics are a quantifiable entity that allows the measurement of the achievement of a process goal.

Decisions regarding information security are BEST supported by: statistical analysis. expert advice. benchmarking. effective metrics.

D is the correct answer. Justification Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. Governance of enterprise security affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process and may provide useful input but cannot take full responsibility. Effective governance of enterprise security needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same.

Effective governance of enterprise security is BEST ensured by: utilizing a bottom-up approach. management by the IT department. referring the matter to the organization's legal department. using a top-down approach.

A is the correct answer. Justification In addition to typically being less costly, processes are considerably more effective when flaws in a process are the source of risk. Attempting to counteract process flaws using technical controls will generally impose substantial restrictions on business operations and burden the organization with disproportionate cost without addressing the root cause of the problem. Cost is always a consideration, and technical controls tend to be more costly than other types of controls. However, even with unlimited funding, the information security manager is unlikely to be able to adequately compensate for faulty processes solely by deploying technical controls. While the approach to addressing or treating specific risk has a significant impact on cost, it does not explain why deploying technical controls alone cannot create and maintain information security. Regardless of how many iterations of examination and deployment may occur, deployment solely of technical controls will not create and maintain information security.

Effective information security requires a combination of management, administrative and technical controls because: technical controls alone are unable to adequately compensate for faulty processes. senior management is unlikely to fund adequate deployment of technical controls. the approach to addressing or treating specific risk has a significant impact on costs. development of the right strategy needs to be iterative to achieve the desired state.

D is the correct answer. Justification Organizational standards must be subordinate to local regulations. It would be incorrect to follow local regulations only because there must be recognition of organizational requirements. Making an organization aware of standards is a sensible step but is not a complete solution. Negotiating a local version of the organization's standards is the most effective compromise in this situation.

How should an information security manager balance the potentially conflicting requirements of an international organization's security standards with local regulation? Give organizational standards preference over local regulations. Follow local regulations only. Make the organization aware of those standards where local regulations cause conflicts. Negotiate a local version of the organization standards.

C is the correct answer. Justification Policies, as a statement of management intent and direction, will only indicate the security baseline in general sense. Enterprise architecture may or may not provide an indication of some of the controls implemented. The control objectives, when achieved, set the security baselines. Compliance requirements will indicate some of the controls required indicative of what the baseline should be but only in the areas related to specific regulations.

In a mature organization, it would be expected that the security baseline could be approximated by which of the following? Organizational policies are in place. Enterprise architecture is documented. Control objectives are being met. Compliance requirements are addressed.

A is the correct answer. Justification The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee or management. The information security manager is not necessarily responsible for communicating the security strategy. Management must approve and fund the security strategy implementation.

In implementing information security governance, the information security manager is PRIMARILY responsible for: developing the security strategy. reviewing the security strategy. communicating the security strategy. approving the security strategy.

C is the correct answer. Justification Frameworks are general structures rather than detailed processes and methods. Frameworks do not specify particular outcomes, but may provide the structure to assess outcomes against requirements. Frameworks are like the skeleton of a building and provide the outlines and basic structure, but not the specifics of process and outcomes. Frameworks do not specify policies and procedures. Their creation is left to the implementer.

Information security frameworks can be MOST useful for the information security manager because they: provide detailed processes and methods. are designed to achieve specific outcomes. provide structure and guidance. provide policy and procedure.

D is the correct answer. Justification Strategy is the plan to achieve the business objectives of the organization that must be supported by governance. While technology constraints must be considered in developing governance and planning the strategy, it is not the driver. Regulatory requirements must be addressed by governance and may affect how the strategy develops. However, regulatory requirements are not the driver of information security governance. Litigation potential is usually an aspect of liability and is also a consideration for governance and when designing the strategy, but it may be a constraint, not a driver. Business strategy is the main determinant of information security governance because security must align with the business objectives set forth in the business strategy.

Information security governance is PRIMARILY driven by: technology constraints. regulatory requirements. litigation potential. business strategy.

D is the correct answer. Justification Efficiency is not necessarily an attribute of the integration of governance throughout the organization, but the effectiveness of the governance program to address and reduce business risk is such an attribute. Standardization will help create a more efficient program, but will not necessarily establish a risk mitigation process that will address operational risk to assist business in better managing risk functions and processes. While good governance may help promote strategic alignment, the main reason to ensure integration of governance in all organizational functions is to prevent gaps in the management of risk and maintain acceptable risk levels throughout the organization. All aspects of organizational activities pose risk that is mitigated through effective information security governance and the development and implementation of policies, standards and procedures.

Information security governance must be integrated into all business functions and activities PRIMARILY to: maximize security efficiency. standardize operational activities. achieve strategic alignment. address operational risk.

C is the correct answer. Justification The security steering committee should ensure that a security policy is in line with corporate objectives but typically is not responsible for enforcement. The chief information officer may to some extent be involved in the enforcement of the policy but is not directly responsible for it. Information security policy enforcement is generally the responsibility of the chief information security officer. The chief compliance officer is usually involved in determining the level of compliance but is usually not directly involved in the enforcement of the policy.

Information security policy enforcement is the responsibility of the: security steering committee. chief information officer. chief information security officer. chief compliance officer.

B is the correct answer. Justification Industry good practices may serve as a guideline but may be excessive or insufficient for a particular organization. A security architecture is based on policies and both must be aligned with business goals and objectives. Information technology plans must be aligned with business goals and objectives. International frameworks can serve as a general guide to the extent it supports business goals and objectives.

It is MOST important that information security architecture be aligned with which of the following? Industry good practices Business goals and objectives Information technology plans International information security frameworks

B is the correct answer. Justification The board is typically not essential in selecting particular technical solutions. The insurance policies that organizations typically obtain to shield owners and key stakeholders from liability frequently require a good-faith effort on the part of the board to exercise due care as a precondition for coverage. If the board is not involved, this liability protection may be lost. Compliance is addressed as part of the risk management program. The board sets goals, for which strategies are then developed by senior management or subordinate steering committees.

It is essential for the board of directors to be involved with information security activities primarily because of concerns regarding: technology. liability. compliance. strategy.

D is the correct answer. Justification Audit reports may indicate areas of security activities that do not optimally support the enterprise objectives but will not be as good an indicator as insight from business owners. Losses may or may not be considered acceptable by the enterprise but will not be well correlated with the perception of business support. To the extent that business cases have been developed for particular security activities, they will be a good indication of how well business requirements were considered; however, the perception of business owners will ultimately be the most important factor. It is essential that business owners understand and support the security program and fully understand how its controls impact their activities. This can be most readily accomplished through direct interaction with business leadership.

Of the following, which is the MOST effective way to measure strategic alignment of an information security program? Track audits over time. Evaluate incident losses. Analyze business cases. Interview business owners.

B is the correct answer. Justification Security awareness training will promote the security policies, procedures and appropriate use of the security mechanisms but will not precede information security governance implementation. Updated security policies are required to align management business objectives with security processes and procedures. Management objectives translate into policy; policy translates into standards and procedures. An incident management team will not be the first requirement for the implementation of information security governance and can exist even if formal governance is minimal. Information security governance provides the basis for architecture and must be implemented before a security architecture is developed.

Successful implementation of information security governance will FIRST require: security awareness training. updated security policies. a computer incident management team. a security architecture.

B is the correct answer. Justification While systems thinking is essential to developing a sound systems architecture, it is not a prescriptive approach. A systems approach for developing information security includes the understanding that the whole is more than the sum of its parts and changes in any one part affect the rest. Alignment with business objectives is one of the desired outcomes, but systems thinking does not ensure it. Systems thinking is not a framework for information security governance, although the systems approach can be helpful in implementing an effective information security governance framework as well as an information security management program. Domain

Systems thinking as it relates to information security is: a prescriptive methodology for designing the systems architecture. an understanding that the whole is greater than the sum of its parts. a process that ensures alignment with business objectives. a framework for information security governance.

B is the correct answer. Justification Generally, a framework is more flexible than a process and avoids the rigidity of process approaches. Frameworks, such as International Organization for Standardization (ISO) 27001 and COBIT, are the most common approach to program development. A reference model is one approach to architecture, but it has less flexibility than a framework. Guidelines can provide useful suggestions, but by themselves are not as useful as a framework.

The BEST approach to developing an information security program is to use a: process. framework. model. guideline.

B is the correct answer. Justification The task of identifying business risk that affects the organization is assigned and acted on after establishing the need for creating the program. In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after establishing the need. The task of assigning responsibility for the program is assigned and acted on after establishing the need for creating the program. The task of assessing the adequacy of existing controls is assigned and acted on after establishing the need for creating the program.

The FIRST step in developing an information security management program is to: identify business risk that affects the organization. establish the need for creating the program. assign responsibility for the program. assess adequacy of existing controls.

D is the correct answer. Justification The implementation of stronger controls may lead to circumvention. Awareness training is important but must be based on policies and supported by management. Actively monitoring operations will not directly affect culture. Endorsement from executive management in the form of policy approval provides intent, direction and support.

The FIRST step to create an internal culture that embraces information security is to: implement stronger controls. conduct periodic awareness training. actively monitor operations. gain endorsement from executive management.

A is the correct answer. Justification To be effective and receive senior management support, an information security program must be aligned with the corporate business strategy. An otherwise sound risk management approach may be of little benefit to an organization unless it specifically addresses and is consistent with the organization's business strategy. The governance program must address regulatory requirements that affect that particular organization to an extent determined by management, but this is not the most basic requirement. Good practices are generally a substitute for specific knowledge of the organization's requirements and may be excessive for some and inadequate for others.

The MOST basic requirement for an information security governance program is to: be aligned with the corporate business strategy. be based on a sound risk management approach. provide adequate regulatory compliance. provide good practices for security initiatives.

D is the correct answer. Justification Encryption will not prevent the legal requirements to produce documents in the event of legal conflicts. Limiting access to sensitive information based on the need to know may limit which personnel can testify during legal proceedings, but will not limit the requirement to produce existing documents. While some organizations have practiced a policy of not committing to writing issues of dubious legality, it is not a sound practice and may violate a variety of laws. Compliance with legally acceptable defined retention policies will limit exposure to the often difficult and costly demands for documentation during legal proceedings such as lawsuits.

The MOST effective way to limit actual and potential impacts of e-discovery in the event of litigation is to: implement strong encryption of all sensitive documentation. ensure separation of duties and limited access to sensitive data. enforce a policy of not writing or storing potentially sensitive information. develop and enforce comprehensive retention policies.

A is the correct answer. Justification Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are a function of acceptable risk determination and one part of strategy development but at a high level, best described in terms of desired outcomes. Mapping IT to business processes must occur as one part of strategy implementation but is too specific to describe general strategy objectives. Calculation of annual loss expectations would not describe the objectives in the information security strategy.

The MOST useful way to describe the objectives in the information security strategy is through: attributes and characteristics of the desired state. overall control objectives of the security program. mapping the IT systems to key business processes. calculation of annual loss expectations.

D is the correct answer. Justification While adequately protecting information and the knowledge base is important, governance is ultimately about achieving business objectives. Unless information security strategy is aligned with business objectives, there is no basis to determine the adequacy of the security posture. Information security governance is more than IT systems. Governance ensures that business objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans.

The PRIMARY focus of information security governance is to: adequately protect the information and knowledge base of the organization. provide assurance to senior management that the security posture is adequate. safeguard the IT systems that store and process business information. optimize the information security strategy to achieve business objectives.

D is the correct answer. Justification Establishing metrics and performance monitoring is very important to the extent they indicate the achievement of business objectives, but this is only one aspect of the primary requirement to support business objectives. Educating business process owners is subordinate to supporting the business objectives and is only incidental to developing an information security strategy. Meeting legal and regulatory requirements is just one of the objectives of the strategy needed to support business objectives. The purpose of information security in an organization is to assist the organization in achieving its objectives, and it is the primary goal of an information security strategy.

The PRIMARY goal of developing an information security strategy is to: establish security metrics and performance monitoring. educate business process owners regarding their duties. ensure that legal and regulatory requirements are met. support the business objectives of the organization.

D is the correct answer. Justification An information security strategy is important, but it is one of the ways to achieve the objective of reducing risk and impact. Establishing incident response procedures is important, but it is one of the ways to achieve the objective of reducing risk and impact. Cost-effective security solutions are essential but not the objective of security program development. Reducing risk to and impact on the business is the most important objective of an information security program.

The PRIMARY objective for information security program development should be: creating an information security strategy. establishing incident response procedures. implementing cost-effective security solutions. reducing the impact of the risk in the business.

A is the correct answer. Justification The information security program must be primarily aligned with the business's strategy and objectives. The risk assessment program is focused on identifying risk scenarios based on the business's strategy and objectives. It must consider all risk, not just operational risk. The protection of the information security program needs to address confidentiality, integrity and availability, not just confidentiality. Security policy and procedures will be developed as part of the security program to achieve protection for information assets consistent with business strategy and objectives.

The PRIMARY purpose of an information security program is to: provide protection to information assets consistent with business strategy and objectives express the results of an operational risk assessment in terms of business impact. protect the confidentiality of business information and technology resources. develop information security policy and procedures in line with business objectives.

C is the correct answer. Justification Comparative pricing bids and completing the transaction with the vendor offering the best deal is not necessary until a determination has been made regarding whether the product fits the goals and objectives of the business. Adding the purchase to the budget is not necessary until a determination has been made regarding whether the product fits the goals and objectives of the business. An assessment must be made first to determine that the proposed solution is aligned with business goals and objectives. Forming a project team for implementation is not necessary until a determination has been made regarding whether the product fits the goals and objectives of the business.

The director of auditing has recommended a specific information security monitoring solution to the information security manager. What should the information security manager do FIRST? Obtain comparative pricing bids and complete the transaction with the vendor offering the best deal. Add the purchase to the budget during the next budget preparation cycle to account for costs. Perform an assessment to determine correlation with business goals and objectives. Form a project team to plan the implementation.

D is the correct answer. Justification Functional requirements and user training programs are considered to be part of project development but are not the main risk. Specifics of training programs are not normally under the purview of the steering committee. The steering committee does not approve budgets for business units. The steering committee usually controls the execution of the information security strategy, and, lacking representation of user management, the committee may fail to consider impact on productivity and adequate user controls.

What is the MAIN risk when there is no user management representation on the information security steering committee? Functional requirements are not adequately considered. User training programs may be inadequate. Budgets allocated to business units are not appropriate. Information security plans are not aligned with business requirements.

D is the correct answer. Justification KRIs usually signal developing risk but do not indicate what the actual risk is. In that context, they are neither accurate nor reliable. KRIs typically do not provide quantitative metrics about risk. KRIs will not indicate that any particular action is required other than to investigate further. A Key risk indicator (KRI) should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.

What is the MOST essential attribute of an effective key risk indicator (KRI)? The KRI: is accurate and reliable. provides quantitative metrics. indicates required action. is predictive of a risk event.

D is the correct answer. Justification Policies are developed or modified after a strategy is defined and are one of the controls to implement it. Logical security architecture will be a reflection of the road map and may serve as the road map after a strategy has been developed. While legal and regulatory requirements must be considered, the road map is based on the strategy, which in turn is based on the organization's objectives. The road map detailing the steps, resources and time lines for development of the strategy is developed after the strategy is determined.

What should be the PRIMARY basis of a road map for implementing information security governance? Policies Architecture Legal requirements Strategy

C is the correct answer. Justification The number of employees has little or no effect on standard information security governance models. The distance between physical locations has little or no effect on standard information security governance models. Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Organizational budget may have some impact on suitable governance models depending on the one chosen because some models will be more costly to implement.

What will have the HIGHEST impact on standard information security governance models? Number of employees Distance between physical locations Complexity of organizational structure Organizational budget

B is the correct answer. Justification Vulnerability assessments, third-party or otherwise, do not take into account threat and other factors that influence risk treatment. Organizations classify data according to their value and exposure. The organization can then develop a sensible plan to invest budget and effort where they matter most. An insurance policy is a risk treatment option for the transfer/sharing of risk. Whether it is an appropriate action requires a cost-benefit analysis and a more complete understanding of the risk involved. Tokenization is a technique used to protect data, but whether it is appropriate cannot be known without an understanding of the various exposures to which the data are subject.

When creating an effective data-protection strategy, the information security manager must understand the flow of data and its protection at various stages. This is BEST achieved with: a third-party vulnerability assessment. a tailored methodology based on exposure. an insurance policy for accidental data losses. a tokenization system set up in a secure network environment.

A is the correct answer. Justification To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback comparing the desired state of maturity to the current state. Return on security investment may show the performance result of the security-related activities in terms of cost-effectiveness; however, this is not an indication of maturity level. Continuous risk reduction would demonstrate the effectiveness of the security governance framework but does not indicate a higher level of maturity. Key risk indicator setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.

Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept? Continuous analysis, monitoring and feedback Continuous monitoring of the return on security investment Continuous risk reduction Key risk indicator setup to security management processes

C is the correct answer. Justification Interviewing specialists should be performed by the information security manager. Development of program content should be performed by the information security staff. Prioritizing information security initiatives falls within the scope of an information security governance committee. Approving access to critical financial systems is the responsibility of individual system data owners. Domain

Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? Interviewing candidates for information security specialist positions Developing content for security awareness programs Prioritizing information security initiatives Approving access to critical financial systems

B is the correct answer. Justification Ease of implementation is valuable when developing metrics, but not essential. Metrics are most effective when they are meaningful to the person receiving the information. Metrics will only be effective if the recipient can take appropriate action based upon the results. Quantifiable representations can be useful, but qualitative measures are often just as useful. Meeting legal and regulatory requirements may be important, but this is not always essential when developing metrics for meeting business goals.

Which of the following attributes would be MOST essential to developing effective metrics? Easily implemented Meaningful to the recipient Quantifiably represented Meets regulatory requirements

A is the correct answer. Justification An information security framework will help ensure the protection of information assets from confidentiality, integrity and availability perspectives. Organizational structures that minimize conflicts of interest are important for this to work effectively. Organizational procedures and guidelines must be aligned with policies. The security strategy must be aligned with business objectives. The security policy addresses multiple facets of security.

Which of the following choices is a necessary attribute of an effective information security governance framework? An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities Organizational policies and guidelines in line with predefined procedures Business objectives aligned with a predefined security strategy Security guidelines that address multiple facets of security such as strategy, regulatory compliance and controls

B is the correct answer. Justification High flexibility and adaptability are commendable attributes, but do not provide a consistent baseline on which to determine significant deviations. Effective key risk indicators result from the deviation from baselines, and consistent methodologies and practices establish the baseline. Robustness and resilience are commendable attributes, but do not provide a consistent baseline on which to determine significant deviations. The cost-benefit ratio does not indicate risk.

Which of the following choices is the BEST attribute of key risk indicators? High flexibility and adaptability Consistent methodologies and practices Robustness and resilience The cost-benefit ratio

A is the correct answer. Justification Value delivery means that good rates of return and a high utilization of resources are achieved. The budget level is not an indication of value delivery. The lowest cost vendors may not present the best value. Staff-associated overhead costs by themselves are not an indicator of value delivery.

Which of the following choices is the BEST indication that the information security manager is achieving the objective of value delivery? Having a high resource utilization Reducing the budget requirements Utilizing the lowest cost vendors Minimizing the loaded staff cost

A is the correct answer. Justification A defined maturity level is the best overall indicator of the state of information security governance. The maturity level indicates how mature a process is on a scale from 0 (incomplete process) to 5 (optimizing process). A developed security strategy is an important first step, but it must be implemented properly to be effective and by itself is not an indication of the state of governance. Complete policies and standards are required for effective governance, but are only one part of the requirement and by themselves are not an indicator of the effectiveness of governance. The number of incidents is relatively unconnected to the effectiveness of information security governance. Trends in incidents would be a better indicator.

Which of the following choices is the BEST indicator of the state of information security governance? A defined maturity level A developed security strategy Complete policies and standards Low numbers of incidents

D is the correct answer. Justification Attitudes among employees and managers may vary by country and this will impact implementation of a security policy, but the impact is not nearly as significant as the variance in national laws. Time differences and reachability are not significant considerations when developing a security strategy. Implementation occurs after a security strategy has been developed. In addition to laws varying from one country to another, they can also conflict, making it difficult for an organization to create an overarching enterprise security policy that adequately addresses the requirements in each nation. The repercussions of failing to adhere to multiple legal frameworks at the same time go well beyond the impacts of the other considerations listed.

Which of the following choices is the MOST important consideration when developing the security strategy of a company operating in different countries? Diverse attitudes toward security by employees and management Time differences and the ability to reach security officers A coherent implementation of security policies and procedures in all countries Compliance with diverse laws and governmental regulations

B is the correct answer. Justification A lack of proper procedures may well be the issue, but that is a failure of governance. Good governance would ensure that procedures are consistent with standards that meet policy intent. Procedures for configuration that meet standards for a particular security domain will be consistent. Governance is the rules the organization operates by and the oversight to ensure compliance as well as feedback mechanisms that provide assurance that the rules are followed. A failure of one or more of those processes is likely to be the reason that system configurations are inconsistent. Poor standards are also a sign of inadequate governance and likely to result in poor consistency in configurations. Insufficient training indicates that there are no requirements, they are not being met or the trainers are not competent in the subject matter, which is also a lack of effective governance resulting in a lack of oversight, clear requirements for training or a lack of suitable metrics.

Which of the following choices is the MOST likely cause of significant inconsistencies in system configurations? A lack of procedures Inadequate governance Poor standards Insufficient training

D is the correct answer. Justification A capability maturity model is not as inclusive as a scorecard, does not provide as complete a perspective and is more focused on process. While providing greater detail into processes and capabilities, a process assessment model still only provides a process-focused view rather than a multidimensional one. A risk assessment is used to identify vulnerabilities and controls, but does not address alignment. A business balanced scorecard will align information security goals with the business goals and provides a multidimensional view of both quantitative and qualitative factors.

Which of the following choices would BEST align information security objectives to business objectives? A capability maturity model A process assessment model A risk assessment and analysis A business balanced scorecard

A is the correct answer. Justification Significant changes in employee turnover indicate that something significant is impacting the workforce, which deserves the attention of the information security manager. If a large number of senior developers are leaving the research and development group, for instance, it may indicate that a competitor is attempting to obtain the organization's development plans or proprietary technology. An increase in the number of packets being dropped may indicate a change in the threat environment, but there is no impact unless legitimate traffic is being impacted. Therefore, the number of packets dropped is not an effective key risk indicator (KRI). An increase in the number of viruses detected may indicate a change in the threat environment, but the increase in detected viruses also indicates that the threat is adequately countered by existing controls. Changes in reporting relationships come about as a result of intentional business decisions, so the reporting relationship of IT is not a KRI.

Which of the following choices would be the MOST significant key risk indicator? A deviation in employee turnover The number of packets dropped by the firewall The number of viruses detected The reporting relationship of IT

D is the correct answer. Justification Minimizing risk is not the objective. The objective is achieving control objectives and thereby achieving acceptable risk levels. Risk reduction beyond the acceptable level is likely to not be cost-effective and to be a waste of resources. There are some threats for which no countermeasures exist (e.g., comet strikes). The extent of losses is not a reliable indication of the effectiveness of the strategy. Losses may or may not exceed expectations for a variety of reasons and relate to impacts rather than to risk levels. Control objectives are developed to achieve acceptable levels of risk. To the extent that is achieved is a good measure of the effectiveness of the strategy.

Which of the following choices would provide the BEST measure of the effectiveness of the security strategy? Minimizing risk across the enterprise Countermeasures existing for all known threats Losses consistent with annual loss expectations The extent to which control objectives are met

C is the correct answer. Justification Policies and standards are some of the primary tools to implement a strategy and are subsequent steps in the process. Implementing the information security strategy is the activity that populates or develops the governance framework. Because a strategy is essentially a plan to achieve an objective, it is essential to know the current state of information security and the desired future state or objectives. Management intent and direction is essential to developing objectives; the current state is also required.

Which of the following elements are the MOST essential to develop an information security strategy? Complete policies and standards An appropriate governance framework Current state and objectives Management intent and direction

A is the correct answer. Justification Without defined objectives, a strategy—the plan to achieve objectives—cannot be developed. Time frames for delivery are important but not critical for inclusion in the strategy document. The adoption of a control framework is not critical prior to developing an information security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy.

Which of the following elements is MOST important when developing an information security strategy? Defined objectives Time frames for delivery Adoption of a control framework Complete policies

B is the correct answer. Justification The number of users with privileged access, if excessive, can pose unnecessary risk, but is more of an operational metric. Trends in incident frequency will show whether the information security program is improving and heading in the right direction or not. Network downtime is a relevant operational metric in terms of service level agreements but, without trends over time, is not a useful strategic metric. Vulnerability scans are an operational metric.

Which of the following indicators is MOST likely to be of strategic value? Number of users with privileged access Trends in incident frequency Annual network downtime Vulnerability scan results

B is the correct answer. Justification Key business controls are only one part of a security strategy and must be related to business objectives. A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy. Firewall rule sets, network defaults and intrusion detection system settings are technical details subject to periodic change and are not appropriate content for a strategy document. Budgets will generally not be included in an information security strategy. Additionally, until the information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available.

Which of the following is MOST appropriate for inclusion in an information security strategy? Business controls designated as key controls Security processes, methods, tools and techniques Firewall rule sets, network defaults and intrusion detection system settings Budget estimates to acquire specific security tools

B is the correct answer. Justification A positive security environment (culture) enables successful implementation of the security strategy but is not as important as alignment with business objectives during the development of the strategy. Alignment with business strategy is essential in determining the security needs of the organization; this can only be achieved if key business objectives driving the strategy are understood. A reporting line to senior management may be helpful in developing a strategy but does not ensure an understanding of business objectives necessary for strategic alignment. Allocation of resources is not likely to be effective if the business objectives are not well understood.

Which of the following is MOST important in developing a security strategy? Creating a positive business security environment Understanding key business objectives Having a reporting line to senior management Allocating sufficient resources to information security

B is the correct answer. Justification GRC is generally not used in support of operations and marketing. Governance, risk and compliance (GRC) is largely concerned with ensuring that processes in IT, finance and legal are in compliance with regulatory requirements, that proper rules are in place and that risk is appropriately addressed. Audit, risk and regulations are support functions to IT, finance and legal. Information security and risk can be a part of GRC, and interrelate to audit, risk and regulations, but are primarily in support of IT, finance and legal.

While governance, risk and compliance (GRC) can be applied to any area of an organization, it is MOST often focused on which of the following areas? Operations and marketing IT, finance and legal Audit, risk and regulations Information security and risk

C is the correct answer. Justification One of the outcomes of GRC is the increased attention on general controls, because they are more pervasive and cost-effective than application-level controls. However, the PRIMARY driver for GRC has been the increased complexity and diversity of assurance requirements and the need to address these through one integrated process. As with most information security activities, appropriate policy support is needed for effective GRC implementation, but that is only one aspect of achieving integration. Governance, risk and compliance (GRC) is a process to integrate multiple disparate but related activities to improve effectiveness, reduce or eliminate conflicting approaches, and reduce costs. GRC is not a model, but an approach to achieving greater assurance process integration.

Which of the following is PRIMARILY related to the emergence of governance, risk and compliance? The increasing need for controls The policy development process The integration of assurance-related activities A model for information security program development

D is the correct answer. Justification A defined information security architecture is helpful but by itself is not a strong indicator of effective governance. Compliance with international standards is not an indication of the use of effective governance. Periodic external audits may serve to provide an opinion on effective governance. A risk management program is a key component of effective governance.

Which of the following is an indicator of effective governance? A defined information security architecture Compliance with international security standards Periodic external audits An established risk management program

B is the correct answer. Justification Centralized information security management is generally less expensive to administer due to the economies of scale. Centralization of information security management results in greater uniformity and better adherence to security policies. With centralized information security management, information security is typically less responsive to specific business unit needs. With centralized information security management, turnaround can be slower due to greater separation and more bureaucracy between the information security department and end users.

Which of the following is characteristic of centralized information security management? More expensive to administer Better adherence to policies More aligned with business unit needs Faster turnaround of requests

C is the correct answer. Justification Uniformity in quality of service tends to vary from unit to unit. Adherence to policies is likely to vary considerably between various business units. Decentralization of information security management generally results in better alignment to business unit needs because security management is closer to the end user. Decentralization of information security management is generally more expensive to administer due to the lack of economies of scale.

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? More uniformity in quality of service Better adherence to policies Better alignment to business unit needs More savings in total operating costs

A is the correct answer. Justification The overall objective of an information security strategy is to support business objectives and activities and minimize disruptions. Maximizing the effectiveness of resources is one of the factors in developing a strategy but is secondary to supporting organizational activities. The strategy must consider legal and regulatory requirements, but they are just one of the potential impact considerations. Organizational structure affects the approaches to developing a strategy, but is just one of the considerations.

Which of the following is the MOST important consideration when developing an information security strategy? Supporting business objectives Maximizing the effectiveness of available resources Ensuring that legal and regulatory constraints are addressed Determining the effect on the organizational roles and responsibilities

B is the correct answer. Justification Staffing requirements stem from the implementation time lines and requirements of the strategic plan. It is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis of the requirements to achieve the desired or future state. IT capital investment requirements are generally not determined at the strategic plan level but rather as a result of gap analysis and the options on how to achieve the objectives of the strategic plan. The mission statement is typically a short, high-level aspirational statement of overall organizational objectives and only directly affects the information security strategy in a very limited way. Domain

Which of the following is the MOST important information to include in a strategic plan for information security? Information security staffing requirements Current state and desired future state IT capital investment requirements Information security mission statement

B is the correct answer. Justification Without alignment with business goals, the risk identified and mitigated as part of the information security strategy may not be the most significant to the business. The most important part of an information security strategy is that it supports the business objectives and goals of the enterprise. Maximizing return on information security investment can only be achieved if the information security strategy is aligned with the business strategy. Efficient utilization of resources at the enterprise level can only be achieved if the information security strategy is aligned with the business

Which of the following is the MOST important objective of an information security strategy review? Ensuring that risk is identified, analyzed and mitigated to acceptable levels Ensuring that information security strategy is aligned with organizational goals Maximizing the return on information security investments Ensuring the efficient utilization of information security resources

B is the correct answer. Justification Consistency of document design facilitates maintenance while consistency of document content across units and entities ensures that documents are applied uniformly; consistency does not ensure alignment with business objectives. Residual risk is the remaining risk after management has implemented a risk response. An important objective of a security strategy is to implement cost-effective controls that ensure that residual risk remains within the organization's risk tolerance levels. Most threats cannot be affected by policy; however, risk likelihood and impact can be affected. Standard controls may or may not be relevant to a particular business objective.

Which of the following is the MOST important outcome of an information security strategy? Consistent policies and standards Ensuring that residual risk is at an acceptable level An improvement in the threat landscape Controls consistent with international standards

C is the correct answer. Justification Identification of information assets and asset ownership is a good starting point for implementing an information security strategy. However, having a clear objective is essential. Valuation of the information assets is best performed after the asset inventory has been compiled and the asset owners are assigned. Asset owners generally classify assets according to the organization's asset classification scheme. Asset classification represents the value of the asset to the organization and is the basis for the required protection levels. Determining the objectives of information security provides the desired outcome of the program, which is a charter for developing a meaningful strategy. Asset classification represents the value of the asset to the organization and is the basis for the required protection levels.

Which of the following is the MOST important step in developing a cost-effective information security strategy that is aligned with business requirements? Identification of information assets and resource ownership Valuation of information assets Determination of clearly defined objectives Classification of assets as to criticality and sensitivity

C is the correct answer. Justification Regulatory requirements typically are better addressed with standards and procedures than with high-level policies. Standards set security baselines, not policies. Policies must reflect management intent and direction. Policies should be changed only when management determines that there is a need to address new legal and regulatory or contractual or business requirements. Employees not abiding by policies is a compliance and enforcement issue rather than a reason to change the policies.

Which of the following is the PRIMARY reason to change policies during program development? The policies must comply with new regulatory and legal mandates. Appropriate security baselines are no longer set in the policies. The policies no longer reflect management intent and direction. Employees consistently ignore the policies.

A is the correct answer. Justification The value of any business asset is generally based on its contribution to generating revenues for the organization, both now and in the future. A business impact analysis (BIA) is a process to determine the impact of losing the support of any resource. The BIA study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. It may not take into account the long-term impact to revenue of losing intangible assets. Threat analysis is an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets. The threat analysis usually defines the level of threat and the likelihood of it materializing. Threat assessment is not concerned with asset value, but with the probability of compromise. The replacement cost of intangible assets such as trade secrets typically cannot be calculated because replacement is impossible.

Which of the following items is the BEST basis for determining the value of intangible assets? Contribution to revenue generation A business impact analysis Threat assessment and analysis Replacement costs

C is the correct answer. Justification Annual loss expectancy is the quantification of loss exposure based on probability and frequency of outages with a known or estimated cost. It is part of a business impact analysis and may be calculated at the organization and/or system level, but it is based on projections rather than on observed data. The number of recorded or recognized incidents does not reveal impact. An unplanned business interruption is a standard measure because it provides a quantifiable measure of how much business may be lost due to the inability to acquire, process and produce results that affect the customer(s). The number of high-impact vulnerabilities provides an indication of weakness within the information network and/or systems, but is not by itself an indicator of risk.

Which of the following metrics will provide the BEST indication of organizational risk? Annual loss expectancy The number of information security incidents The extent of unplanned business interruptions The number of high-impact vulnerabilities

B is the correct answer. Justification Justification for program costs will need to be achieved prior to developing the strategy and is more likely based on a business case than on the strategy. A strategy is a plan to achieve an objective that serves to align and integrate program activities to achieve the defined outcomes. Management support will need to be achieved prior to developing the strategy and is more likely based on a business case than on the strategy. Compliance with international standards, such as ISO 27001, does not necessarily require a cohesive plan of action or strategy and can be done piecemeal. If meeting the standard is one of the objectives, a strategy should encompass the actions needed to meet those requirements.

Which of the following reasons is the MOST important to develop a strategy before implementing an information security program? To justify program development costs To integrate development activities To gain management support for an information security program To comply with international standards

D is the correct answer. Justification Corporate standards are established on the basis of governance. While cost effectiveness of risk mitigation approaches is an important consideration, aspects of information security governance cannot be implemented if contrary to organizational goals. Consensus is valuable, but not required. Information security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly. It should support and reflect the goals of the organization.

Which of the following requirements is the MOST important when developing information security governance? Complying with applicable corporate standards Achieving cost-effectiveness of risk mitigation Obtaining consensus of business units Aligning with organizational goals

C is the correct answer. Justification Adopting suitable security standards that implement the intent of the policies follows the development of policies that support the strategy. Security baselines are established as a result of determining acceptable risk, which should be defined as a requirement prior to strategy development. Security governance must be developed to meet and support the objectives of the information security strategy. Policies are a primary instrument of governance and must be developed or modified to support the strategy.

While implementing information security governance an organization should FIRST: adopt security standards. determine security baselines. define the security strategy. establish security policies.

B is the correct answer. Justification Technical vulnerabilities as a component of risk will be most relevant in the context of threats to achieving the business objectives defined in the business strategy. An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization's objectives and the impact of the other answers on achieving those objectives. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security plan because it focuses on availability, which is also primarily relevant in terms of the business objectives that are the basis of the strategy. Without understanding the business strategy, it will not be possible to determine the current level of awareness because to be effective, awareness must include understanding the context and threats to the organization's business objectives.

Which of the following steps should be FIRST in developing an information security plan? Perform a technical vulnerabilities assessment. Analyze the current business strategy. Perform a business impact analysis. Assess the current levels of security awareness.

A is the correct answer. Justification While defining the information security strategy, it is essential to align it with the business and the IT strategy. In order to do that, the security manager must first focus on understanding the business and the IT strategy. Investigating baseline security is a task associated with strategy implementation. Defining the information security policy is performed after defining security strategy. Risk assessment is performed to determine the control objectives, which is generally performed after the security strategy is defined.

Which of the following tasks should information security management undertake FIRST while creating the information security strategy of the organization? Understand the IT service portfolio. Investigate the baseline security level. Define the information security policy. Assess the risk associated with IT.

B is the correct answer. Justification Frameworks are beneficial as a means of tracking what functions should be performed by effective governance, but the establishment of governance is primarily a matter of understanding business objectives. The governance program needs to be a comprehensive security strategy intrinsically linked with business objectives. It is impossible to build an effective program for governance without understanding the objectives of the business units, and the objectives of the business units can best be understood by examining their processes and functions. Meeting regulatory and legal requirements may be included among the objectives of the business, but compliance with laws and regulations is not the primary function of information security governance. Depending on the cost associated with doing so, businesses may, in some cases, even opt to accept the risk of noncompliance. Governance reflects the objectives of the business. Meeting with the security functions can only provide insight with regard to the technical posture and goals as they currently exist; it does not provide a basis on which to build a program.

Which of the following ways is the BEST to establish a basis on which to build an information security governance program? Align the business with an information security framework. Understand the objectives of the various business units. Direct compliance with regulatory and legal requirements. Meet with representatives of the various security functions.

B is the correct answer. Justification Directing regulators to a specific person or department is not as effective as performing self-assessments. Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Assessing previous regulatory reports is not as effective as performing self-assessments since conditions may have changed. The legal department should review all formal inquiries, but this does not help prepare for a regulatory review.

Which of the following would BEST prepare an information security manager for regulatory reviews? Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and reports. Assess previous regulatory reports with process owners input. Ensure all regulatory inquiries are sanctioned by the legal department.

A is the correct answer. Justification The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives. Security policy training is important at all levels of the organization and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee to ensure all parts of the organization are aware of the policies. The availability of security training, while beneficial to the overall security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance. Even organizations with little overall governance may be effective in patching systems in a timely manner; this is not an indication of effective governance.

Which of the following would be the BEST indicator of effective information security governance within an organization? The steering committee approves security projects. Security policy training is provided to all managers. Security training is available to all employees on the intranet. IT personnel are trained in testing and applying required patches.

B is the correct answer. Justification While it is likely that good results on risk assessments will align with good governance, they are only indirectly correlated with good governance and many other factors are involved such as industry sector, exposure, etc. A high score on the capability maturity model (CMM) scale is a good indicator of good governance. Audit reports generally deal with specifics of compliance and specific risk rather than overall governance. Loss history will be affected by many factors other than governance.

Which of the following would be the BEST indicator that an organization has good governance? Risk assessments Maturity level Audit reports Loss history

B is the correct answer. Justification The security officer supports and implements information security to achieve senior management objectives. Routine administration of all aspects of security is delegated, but top management must retain overall accountability. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

Who is accountable for ensuring that information is categorized and that specific protective measures are taken? The security officer Senior management The end user The custodian


Related study sets

Chapter 12 - Psychological Disorders

View Set

Chpt. 4: Business Ethics & Corporate Social Responsibility

View Set

Unit 5 (5.11) Ecological Footprints

View Set

Research Methods and Statistics Prepjet Exam #2,3,4,5,7

View Set