CISM - Information Security Governance, Strategy, Objectives & Metrics Exam with complete solution; Latest 2022

Document Content and Description Below

CISM - Information Security Governance, Strategy, Objectives & Metrics Exam with complete solution; Latest 2022 B is the correct answer. Justification The task of identifying business risk that a... ffects the organization is assigned and acted on after establishing the need for creating the program. In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after establishing the need. The task of assigning responsibility for the program is assigned and acted on after establishing the need for creating the program. The task of assessing the adequacy of existing controls is assigned and acted on after establishing the need for creating the program. - The FIRST step in developing an information security management program is to: identify business risk that affects the organization. establish the need for creating the program. assign responsibility for the program. assess adequacy of existing controls. B is the correct answer. Justification Centralized information security management is generally less expensive to administer due to the economies of scale. Centralization of information security management results in greater uniformity and better adherence to security policies. With centralized information security management, information security is typically less responsive to specific business unit needs. With centralized information security management, turnaround can be slower due to greater separation and more bureaucracy between the information security department and end users. - Which of the following is characteristic of centralized information security management? More expensive to administerBetter adherence to policies More aligned with business unit needs Faster turnaround of requests C is the correct answer. Justification Uniformity in quality of service tends to vary from unit to unit. Adherence to policies is likely to vary considerably between various business units. Decentralization of information security management generally results in better alignment to business unit needs because security management is closer to the end user. Decentralization of information security management is generally more expensive to administer due to the lack of economies of scale. - Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? More uniformity in quality of service Better adherence to policies Better alignment to business unit needs More savings in total operating costs C is the correct answer. Justification The number of employees has little or no effect on standard information security governance models. The distance between physical locations has little or no effect on standard information security governance models. Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Organizational budget may have some impact on suitable governance models depending on the one chosen because some models will be more costly to implement. - What will have the HIGHEST impact on standard information security governance models?Number of employees Distance between physical locations Complexity of organizational structure Organizational budget C is the correct answer. Justification Interviewing specialists should be performed by the information security manager. Development of program content should be performed by the information security staff. Prioritizing information security initiatives falls within the scope of an information security governance committee. Approving access to critical financial systems is the responsibility of individual system data owners. Domain - Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? Interviewing candidates for information security specialist positions Developing content for security awareness programs Prioritizing information security initiatives Approving access to critical financial systems C is the correct answer. Justification Adopting suitable security standards that implement the intent of the policies follows the development of policies that support the strategy. Security baselines are established as a result of determining acceptable risk, which should be defined as a requirement prior to strategy development. Security governance must be developed to meet and support the objectives of the information security strategy. Policies are a primary instrument of governance and must be developed or modified to support the strategy. - While implementing information security governance an organization should FIRST:adopt security standards. determine security baselines. define the security strategy. establish security policies. A is the correct answer. Justification To be effective and receive senior management support, an information security program must be aligned with the corporate business strategy. An otherwise sound risk management approach may be of little benefit to an organization unless it specifically addresses and is consistent with the organization's business strategy. The governance program must address regulatory requirements that affect that particular organization to an extent determined by management, but this is not the most basic requirement. Good practices are generally a substitute for specific knowledge of the organization's requirements and may be excessive for some and inadequate for others. - The MOST basic requirement for an information security governance program is to: be aligned with the corporate business strategy. be based on a sound risk management approach. provide adequate regulatory compliance. provide good practices for security initiatives. A is the correct answer. Justification The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives.Security policy training is important at all levels of the organization and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee to ensure all parts of the organization are aware of the policies. The availability of security training, while beneficial to the overall security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance. Even organizations with little overall governance may be effective in patching systems in a timely manner; this is not an indication of effective governance. - Which of the following would be the BEST indicator of effective information security governance within an organization? The steering committee approves security projects. Security policy training is provided to all managers. Security training is available to all employees on the intranet. IT personnel are trained in testing and applying required patches. A is the correct answer. Justification Information security exists to address risk to the organization that may impede achieving its objectives. Organizational risk will be the most persuasive argument for management commitment and support. Establishing metrics to measure security status will be viewed favorably by senior management after the overall organizational risk is identified. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Identifying organizational responsibilities will be most effective if related directly to addressing organizational risk. - An information security manager can BEST attain senior management commitment and support by emphasizing: organizational risk. organizationwide metrics. security needs. the responsibilities of organizational units. B is the correct answer.Justification Security awareness training will promote the security policies, procedures and appropriate use of the security mechanisms but will not precede information security governance implementation. Updated security policies are required to align management business objectives with security processes and procedures. Management objectives translate into policy; policy translates into standards and procedures. An incident management team will not be the first requirement for the implementation of information security governance and can exist even if formal governance is minimal. Information security governance provides the basis for architecture and must be implemented before a security architecture is developed. - Successful implementation of information security governance will FIRST require: security awareness training. updated security policies. a computer incident management team. a security architecture. D is the correct answer. Justification Organizational standards must be subordinate to local regulations. It would be incorrect to follow local regulations only because there must be recognition of organizational requirements. Making an organization aware of standards is a sensible step but is not a complete solution. Negotiating a local version of the organization's standards is the most effective compromise in this situation. - How should an information security manager balance the potentially conflicting requirements of an international organization's security standards with local regulation? Give organizational standards preference over local regulations. Follow local regulations only. Make the organization aware of those standards where local regulations cause conflicts.Negotiate a local version of the organization standards. B is the correct answer. Justification A positive security environment (culture) enables successful implementation of the security strategy but is not as important as alignment with business objectives during the development of the strategy. Alignment with business strategy is essential in determining the security needs of the organization; this can only be achieved if key business objectives driving the strategy are understood. A reporting line to senior management may be helpful in developing a strategy but does not ensure an understanding of business objectives necessary for strategic alignment. Allocation of resources is not likely to be effective if the business objectives are not well understood. - Which of the following is MOST important in developing a security strategy? Creating a positive business security environment Understanding key business objectives Having a reporting line to senior management Allocating sufficient resources to information security B is the correct answer. Justification Technical vulnerabilities as a component of risk will be most relevant in the context of threats to achieving the business objectives defined in the business strategy. An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization's objectives and the impact of the other answers on achieving those objectives. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security plan because it focuses on availability, which is also primarily relevant in terms of the business objectives that are the basis of the strategy.Without understanding the business strategy, it will not be possible to determine the current level of awareness because to be effective, awareness must include understanding the context and threats to the organization's business objectives. - Which of the following steps should be FIRST in developing an information security plan? Perform a technical vulnerabilities assessment. Analyze the current business strategy. Perform a business impact analysis. Assess the current levels of security awareness. D is the correct answer. Justification Legal counsel is not in a position to determine what levels of business risk the organization is willing to assume. An acceptable level of risk in an organization is a business decision, not a security decision. External auditors can point out areas of risk but are not in a position to determine what levels of risk the organization is willing to assume. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. - Acceptable levels of information security risk should be determined by: legal counsel. security management. external auditors. the steering committee. B is the correct answer. Justification Directing regulators to a specific person or department is not as effective as performing self-assessments. Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Assessing previous regulatory reports is not as effective as performing selfassessments since conditions may have changed.The legal department should review all formal inquiries, but this does not help prepare for a regulatory review. - Which of the following would BEST prepare an information security manager for regulatory reviews? Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and reports. Assess previous regulatory reports with process owners input. Ensure all regulatory inquiries are sanctioned by the legal department. B is the correct answer. Justification Key business controls are only one part of a security strategy and must be related to business objectives. A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy. Firewall rule sets, network defaults and intrusion detection system settings are technical details subject to periodic change and are not appropriate content for a strategy document. Budgets will generally not be included in an information security strategy. Additionally, until the information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. - Which of the following is MOST appropriate for inclusion in an information security strategy? Business controls designated as key controls Security processes, methods, tools and techniques Firewall rule sets, network defaults and intrusion detection system settings Budget estimates to acquire specific security tools D is the correct answer. Justification Any planning for information security should be properly aligned with the needs of the business, not necessarily the IT strategic plan.Technology needs should not come before the needs of the business. Planning should not be done on an artificial timetable that ignores business needs. Any planning for information security should be properly aligned with the needs of the business. - When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: aligned with the IT strategic plan. based on the current rate of technological change. three to five years for both hardware and software. aligned with the business strategy. D is the correct answer. Justification Strategy is the plan to achieve the business objectives of the organization that must be supported by governance. While technology constraints must be considered in developing governance and planning the strategy, it is not the driver. Regulatory requirements must be addressed by governance and may affect how the strategy develops. However, regulatory requirements are not the driver of information security governance. Litigation potential is usually an aspect of liability and is also a consideration for governance and when designing the strategy, but it may be a constraint, not a driver. Business strategy is the main determinant of information security governance because security must align with the business objectives set forth in the business strategy. - Information security governance is PRIMARILY driven by: technology constraints. regulatory requirements. litigation potential. business strategy. D is the correct answer. JustificationUpdating platform-level security settings would typically be performed by lower-level personnel because this is a basic administrative task. Conducting recovery test exercises would typically be performed by operational personnel. Approving access would be the job of the data owner. Developing a strategy for information security would be the most appropriate task for the chief information security officer. - Which of the following is the MOST appropriate task for a chief information security officer to perform? Update platform-level security settings Conduct disaster recovery test exercises Approve access to critical financial systems Develop an information security strategy C is the correct answer. Justification The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer is responsible for security and carrying out senior management's directives. Responsibility for all organizational assets, including information, falls to the board of directors, which is tasked with responding to issues that affect the information's protection. The chief information officer is responsible for information technology within the organization but is not ultimately legally responsible for an organization's information. - Who is ultimately responsible for the organization's information? Data custodian Chief information security officer Board of directors Chief information officer D is the correct answer. JustificationEstablishing metrics and performance monitoring is very important to the extent they indicate the achievement of business objectives, but this is only one aspect of the primary requirement to support business objectives. Educating business process owners is subordinate to supporting the business objectives and is only incidental to developing an information security strategy. Meeting legal and regulatory requirements is just one of the objectives of the strategy needed to support business objectives. The purpose of information security in an organization is to assist the organization in achieving its objectives, and it is the primary goal of an information security strategy. - The PRIMARY goal of developing an information security strategy is to: establish security metrics and performance monitoring. educate business process owners regarding their duties. ensure that legal and regulatory requirements are met. support the business objectives of the organization. B is the correct answer. Justification Staffing requirements stem from the implementation time lines and requirements of the strategic plan. It is most important to present a vision for the future and then create a road map from the current state to the desired future state based on a gap analysis of the requirements to achieve the desired or future state. IT capital investment requirements are generally not determined at the strategic plan level but rather as a result of gap analysis and the options on how to achieve the objectives of the strategic plan. The mission statement is typically a short, high-level aspirational statement of overall organizational objectives and only directly affects the information security strategy in a very limited way. Domain - Which of the following is the MOST important information to include in a strategic plan for information security? Information security staffing requirements Current state and desired future state IT capital investment requirements Information security mission statement C is the correct answer.Justification The security steering committee should ensure that a security policy is in line with corporate objectives but typically is not responsible for enforcement. The chief information officer may to some extent be involved in the enforcement of the policy but is not directly responsible for it. Information security policy enforcement is generally the responsibility of the chief information security officer. The chief compliance officer is usually involved in determining the level of compliance but is usually not directly involved in the enforcement of the policy. - Information security policy enforcement is the responsibility of the: security steering committee. chief information officer. chief information security officer. chief compliance officer. A is the correct answer. Justification Organizations must manage risk to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be costeffective. Risk varies as business models and geography, regulatory and operational processes change. Insurance is generally used to protect against low-probability high-impact events and requires that the organization have certain operational controls to mitigate risk in place in addition to generally high deductibles. Therefore, transferring most risk is not costeffective. - An organization's information security strategy should be based on: managing risk relative to business objectives. managing risk to a zero level and minimizing insurance premiums. avoiding occurrence of risks so that insurance is not required.transferring most risk to insurers and saving on control costs. B is the correct answer. Justification The security officer supports and implements information security to achieve senior management objectives. Routine administration of all aspects of security is delegated, but top management must retain overall accountability. The end user does not perform categorization. The custodian supports and implements information security measures as directed. - Who is accountable for ensuring that information is categorized and that specific protective measures are taken? The security officer Senior management The end user The custodian D is the correct answer. Justification Audit reports may indicate areas of security activities that do not optimally support the enterprise objectives but will not be as good an indicator as insight from business owners. Losses may or may not be considered acceptable by the enterprise but will not be well correlated with the perception of business support. To the extent that business cases have been developed for particular security activities, they will be a good indication of how well business requirements were considered; however, the perception of business owners will ultimately be the most important factor. It is essential that business owners understand and support the security program and fully understand how its controls impact their activities. This can be most readily accomplished through direct interaction with business leadership. - Of the following, which is the MOST effective way to measure strategic alignment of an information security program?Track audits over time. Evaluate incident losses. Analyze business cases. Interview business owners. B is the correct answer. Justification Without alignment with business goals, the risk identified and mitigated as part of the information security strategy may not be the most significant to the business. The most important part of an information security strategy is that it supports the business objectives and goals of the enterprise. Maximizing return on information security investment can only be achieved if the information security strategy is aligned with the business strategy. Efficient utilization of resources at the enterprise level can only be achieved if the information security strategy is aligned with the business - Which of the following is the MOST important objective of an information security strategy review? Ensuring that risk is identified, analyzed and mitigated to acceptable levels Ensuring that information security strategy is aligned with organizational goals Maximizing the return on information security investments Ensuring the efficient utilization of information security resources B is the correct answer. Justification Industry good practices may serve as a guideline but may be excessive or insufficient for a particular organization. A security architecture is based on policies and both must be aligned with business goals and objectives. Information technology plans must be aligned with business goals and objectives. International frameworks can serve as a general guide to the extent it supports business goals and objectives. - It is MOST important that information security architecture be aligned with which of the following?Industry good practices Business goals and objectives Information technology plans International information security frameworks D is the correct answer. Justification Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. Governance of enterprise security affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process and may provide useful input but cannot take full responsibility. Effective governance of enterprise security needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. - Effective governance of enterprise security is BEST ensured by: utilizing a bottom-up approach. management by the IT department. referring the matter to the organization's legal department. using a top-down approach. D is the correct answer. Justification The board does not direct the security operations, which is delegated to executive management. The board would not research solutions but might direct executive management to do so. Taking no action would not be a responsible course of action. The board would typically direct executive management to assess the risk and report results. - An organization's board of directors is concerned about recent fraud attempts that originated over the Internet. What action should the board take to address this concern?Direct information security regarding specific resolutions that are needed to address the risk. Research solutions to determine appropriate actions for the organization. Take no action; information security does not report to the board. Direct management to assess the risk and to report the results to the board. D is the correct answer. Justification The implementation of stronger controls may lead to circumvention. Awareness training is important but must be based on policies and supported by management. Actively monitoring operations will not directly affect culture. Endorsement from executive management in the form of policy approval provides intent, direction and support. - The FIRST step to create an internal culture that embraces information security is to: implement stronger controls. conduct periodic awareness training. actively monitor operations. gain endorsement from executive management. A is the correct answer. Justification To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback comparing the desired state of maturity to the current state. Return on security investment may show the performance result of the security-related activities in terms of cost-effectiveness; however, this is not an indication of maturity level. Continuous risk reduction would demonstrate the effectiveness of the security governance framework but does not indicate a higher level of maturity.Key risk indicator setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool. - Which of the following BEST contributes to the development of an information security governance framework that supports the maturity model concept? Continuous analysis, monitoring and feedback Continuous monitoring of the return on security investment Continuous risk reduction Key risk indicator setup to security management processes B is the correct answer. Justification The assessment criteria are not relevant to defining risk management strategies. The risk management strategy must be designed to achieve organizational objectives as well as provide adequate controls to limit risk to be consistent with the risk appetite. IT architecture complexity may pose a challenge to the risk assessment process but should not affect the risk management strategy directly. Disaster recovery plans are an element of the risk management strategy but are addressed by organizational objectives and risk appetite. - Which of the following should be understood before defining risk management strategies? Risk assessment criteria Organizational objectives and risk appetite IT architecture complexity Enterprise disaster recovery plans C is the correct answer. Justification Comparative pricing bids and completing the transaction with the vendor offering the best deal is not necessary until a determination has been made regarding whether the product fits the goals and objectives of the business.Adding the purchase to the budget is not necessary until a determination has been made regarding whether the product fits the goals and objectives of the business. An assessment must be made first to determine that the proposed solution is aligned with business goals and objectives. Forming a project team for implementation is not necessary until a determination has been made regarding whether the product fits the goals and objectives of the business. - The director of auditing has recommended a specific information security monitoring solution to the information security manager. What should the information security manager do FIRST? Obtain comparative pricing bids and complete the transaction with the vendor offering the best deal. Add the purchase to the budget during the next budget preparation cycle to account for costs. Perform an assessment to determine correlation with business goals and objectives. Form a project team to plan the implementation. A is the correct answer. Justification The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee or management. The information security manager is not necessarily responsible for communicating the security strategy. Management must approve and fund the security strategy implementation. - In implementing information security governance, the information security manager is PRIMARILY responsible for: developing the security strategy. reviewing the security strategy. communicating the security strategy. approving the security strategy. C is the correct answer.Justification The scope of the program must be determined before asset identification can be performed. The scope of the program must be determined before a risk assessment can be performed. The scope of the program must be determined before any of the other steps can be performed. The scope of the program must be determined before a BIA can be performed. - An organization has consolidated global operations. The chief information officer (CIO) has asked the chief information security officer (CISO) to develop a new organization information security strategy. Which of the following actions should be taken FIRST? Identify the assets [Show More]

Last updated: 2 years ago

Preview 1 out of 50 pages