Download Integrating Information Security into Business Processes and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
ISACA CISM
Which of the following steps should be FIRST in developing an information security plan? A. Perform a technical vulnerabilities assessment. B. Analyze the current business strategy. C. Perform a business impact analysis. D. Assess the current levels of security awareness. - B. An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization's objectives and the impact of the other answers on achieving those objectives. Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. Explain the technical risk to the organization. C. Evaluate the organization against good security practices. D. Tie security risk to key business objectives. - D. Senior management wants to understand the business justification for investing in security in relation to achieving key business objectives. The MOST appropriate role for senior management in supporting information security is the: A. evaluation of vendors offering security products. B. assessment of risk to the organization. C. approval of policy statements and funding. D. developing standards sufficient to achieve acceptable risk. - C. Policies are a statement of senior management intent and direction. Therefore, senior management must approve them in addition to providing sufficient funding to achieve the organization's risk management objectives. Which of the following would be the BEST indicator of effective information security governance within an organization? A. The steering committee approves security projects. B. Security policy training is provided to all managers. C. Security training is available to all employees on the intranet. D. IT personnel are trained in testing and applying required patches. -
A. The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To ensure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior representatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives. Information security governance is PRIMARILY driven by: A. technology constraints. B. regulatory requirements. C. litigation potential. D. business strategy. - D. Business strategy is the main determinant of information security governance because security must align with the business objectives set forth in the business strategy. What is the MOST essential attribute of an effective key risk indicator (KRI)? The KRI: A. is accurate and reliable. B. provides quantitative metrics. C. indicates required action. D. is predictive of a risk event. - D. A KRI should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk. Investments in information security technologies should be based on: A. vulnerability assessments. B. value analysis. C. business climate. D. audit recommendations. - B. Investments in security technologies should be based on a value analysis and a sound business case. Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when: A. assessing overall system risk. B. developing a controls policy. C. determining treatment options.
C. The overall security strategy D. The organizational culture - D. The extent to which the culture is risk adverse or risk aggressive, along with the objective ability of the organization to recover from loss, is the main factor in risk appetite. Which of the following attributes would be MOST essential to developing effective metrics? A. Easily implemented B. Meaningful to the recipient C. Quantifiably represented D. Meets regulatory requirements - B. Metrics will only be effective if the recipient can take appropriate action based upon the results. Which of the following is MOST appropriate for inclusion in an information security strategy? A. Business controls designated as key controls B. Security processes, methods, tools and techniques C. Firewall rule sets, network defaults and intrusion detection system settings D. Budget estimates to acquire specific security tools - B. A set of security objectives supported by processes, methods, tools and techniques together are the elements that constitute a security strategy. An information security manager can BEST attain senior management commitment and support by emphasizing: A. organizational risk. B. performance metrics. C. security needs. D. the responsibilities of organizational units. - A. Information security exists to address risk to the organization that may impede achieving its objectives. Organizational risk will be the most persuasive argument for management commitment and support. Which of the following roles would represent a conflict of interest for an information security manager? A. Evaluation of third parties requesting connectivity B. Assessment of the adequacy of disaster recovery plans
C. Final approval of information security policies D. Monitoring adherence to physical security controls - C. Because senior management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? A. The information security department has difficulty filling vacancies. B. The chief operating officer approves security policy changes. C. The information security oversight committee only meets quarterly. D. The data center manager has final sign-off on all security projects. - D. A steering committee should be in place to approve all security projects. The fact that the data center manager has final sign-off for all security projects indicates that a steering committee is not being used and-that information seem ity is 1 elevated to a subordinate place in Ui organization. This would indicate a failure of information security governance. Which of the following requirements would have the LOWEST level of priority in information security? A. Technical B. Regulatory C. Privacy D. Business - A. Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Which of the following is MOST likely to be discretionary? A. Policies B. Procedures C. Guidelines D. Standards - C. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary. Security technologies should be selected PRIMARILY on the basis of their:
A. Chief security officer B. Chief operating officer C. Chief privacy officer D. Chieflegal counsel - B. The chief operating officer is most knowledgeable of business operations and objectives. The MOST important element(s) to consider when developing a business case for a project is the: A. feasibility and value proposition. B. resource and time requirements. C. financial analysis of benefits. D. alignment with organizational objectives. - A. Feasibility and whether the value proposition makes sense will be major considerations of whether a project will proceed. Acceptable levels of information security risk should be determined by: A. legal counsel. B. security management. C. external auditors. D. the steering committee. - D. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. The PRIMARY goal of developing an information security strategy is to: A. establish security metrics and performance monitoring. B. educate business process owners regarding their duties. C. ensure that legal and regulatory requirements are met. D. support the business objectives of the organization. - D. The purpose of information security in an organization is to assist the organization in achieving its objectives, and it is the primary goal of an information security strategy. Senior management commitment and support for information security can BEST be enhanced through: A. a formal security policy sponsored by the chief executive officer. B. regular security awareness training for employees.
C. periodic review of alignment with business management goals. D. senior management sign-off on the information security strategy. - C. Ensuring that security activities continue to be aligned and support business goals is critical to obtaining management support. Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? A. Interviewing candidates for information security specialist positions B. Developing content for security awareness programs C. Prioritizing information security initiatives D. Approving access to critical financial systems - C. Prioritizing information security initiatives falls within the scope of an information security governance committee. Which of the following is the MOST important factor when designing information security architecture? A. Technical platform interfaces B. Scalability of the network C. Development methodologies D. Stakeholder requirements - D. The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is: A. exploitation of a vulnerability in the information system. B. threat actors targeting the organization in greater numbers. C. failure of a previously deployed detective control. D. approval of a new exception for noncompliance by management. - A. Exploitation of a vulnerability is likely to generate security events. Which of the following is the MOST appropriate task for a chief information security officer to perform? A. Update platform-level security settings. B. Conduct disaster recovery test exercises. C. Approve access to critical financial systems. D. Develop an information security strategy. -
From an information security manager perspective, what is an immediate benefit of clearly defined roles and responsibilities? A. Enhanced policy compliance B. Improved procedure flows C. Segregation of duties D. Better accountability - D. Defining roles and responsibilities makes it clear who is accountable for performance and outcomes. Which of the following roles is responsible for legal and regulatory liability? A. Chief security officer B. Chief legal counsel C. Board of directors and senior management D. Information security steering group - C. The board of directors and senior management are ultimately responsible for ensuring regulations are appropriately addressed. While implementing information security governance, an organization should FIRST: A. adopt security standards. B. determine security baselines. C. define the security strategy. D. establish security policies. - C. Security governance must be developed to meet and support the objectives of the information security strategy. The MOST basic requirement for an information security governance program is to: A. be aligned with the corporate business strategy. B. be based on a sound risk management approach. C. provide adequate regulatory compliance. D. provide good practices for security initiatives. - A. To be effective and receive senior management support, an information security program must be aligned with the corporate business strategy. Information security policy enforcement is the responsibility of the: A. security steering committee.
B. chief information officer. C. chief information security officer. D. chief compliance officer. - C. Information security policy enforcement is generally the responsibility of the chief information security officer. An information security manager at a global organization has to ensure that the local information security program will initially be in compliance with the: A. corporate data privacy policy. B. data privacy policy where data are collected. C. data privacy policy of the headquarters' country. D. data privacy directive applicable globally. - B. As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for compliance. Segregation of duties (SoD) has been designed and introduced into an accounts payable system. Which of the following should be in place to BEST maintain the effectiveness of SoD? A. A strong password rule is assigned to disbursement staff. B. Security awareness is publicized by the compliance department. C. An operational role matrix is aligned with the organizational chart. D. Access privilege is reviewed when an operator's role changes. - D. In order to maintain the effectiveness of SoD established in an application system, user access privilege must be reviewed whenever an operator's role changes. If this effort is neglected, there is a risk that a single staff member could acquire excessive operational capabilities. For instance, if a cash disbursement staff member accidentally acquires a trade input role, this person is technically able to accomplish illegal payment operation. Information security frameworks can be MOST useful for the information security manager because they: A. provide detailed processes and methods. B. are designed to achieve specific outcomes. C. provide structure and guidance. D. provide policy and procedure. - C. Frameworks are like a skeleton; they provide the outlines and basic structure but not the specifics of process and outcomes.
What is the PRIMARY role of the information security manager related to the data classification and handling process within an organization? A. Defining and ratifying the organization's data classification structure B. Assigning the classification levels to the information assets C. Securing information assets in accordance with their data classification D. Confirming that information assets have been properly classified - A. Defining and ratifying the data classification structure consistent with the organization's risk appetite and the business value of information assets is the primary role of the information security manager related to the data classification and handling process within the organization. Which of the following is MOST important in developing a security strategy? A. Creating a positive security environment B. Understanding key business objectives C. Having a reporting line to senior management D. Allocating sufficient resources to information security - B. Alignment with business strategy is essential in determining the security needs of the organization; this can only be achieved if key business objectives driving the strategy are understood. Who is ultimately responsible for an organization's information? A. Data custodian B. Chief information security officer C. Board of directors D. Chief information officer - C. Responsibility for all organizational assets, including information, falls to the board of directors, which is tasked with responding to issues that affect the information's protection. An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? A. Ethics B. Proportionality C. Integration D. Accountability - B. Information security controls, including access, should be proportionate to the criticality and/or sensitivity of the asset (i.e., the potential impact of compromise).
Which of the following is the MOST important prerequisite for establishing information security management within an organization? A. Senior management commitment B. Information security framework C. Information security organizational structure D. Information security policy - A. Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization. What will have the HIGHEST impact on standard information security governance models? A. Number of employees B. Distance between physical locations C. Complexity of organizational structure D. Organizational budget - C. Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership, and lines of communication. In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information. - B. Risk assessment, analysis, evaluation and impact analysis will be the starting point for driving management's attention to information security. How should an information security manager balance the potentially conflicting requirements of an international organization's security standards with local regulation? A. Give organizational standards preference over local regulations. B. Follow local regulations only. C. Make the organization aware of those standards where local regulations causes conflicts. D. Negotiate a local version of the organization standards. -
