Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 02
When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?
- Develop a security architecture
- Establish good communication with steering committee members
- Assemble an experienced staff
- Benchmark peer organizations
New information security managers should seek to build rapport and establish lines of communication with senior management to enlist their support. Benchmarking peer organizations is beneficial to better understand industry best practices, but it is secondary to obtaining senior management support. Similarly, developing a security architecture and assembling an experienced staff are objectives that can be obtained later.
It is MOST important that information security architecture be aligned with which of the following?
- Industry best practices
- Information technology plans
- Information security best practices
- Business objectives and goals
Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison.
Which of the following is MOST likely to be discretionary?
Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
Security technologies should be selected PRIMARILY on the basis of their:
- ability to mitigate business risks.
- evaluations in trade publications.
- use of new and emerging technologies.
- benefits in comparison to their costs.
The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.
Which of the following are seldom changed in response to technological changes?
Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes.
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:
- storage capacity and shelf life.
- regulatory and legal requirements.
- business strategy and direction.
- application systems and media.
Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues.
Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?
- More uniformity in quality of service
- Better adherence to policies
- Better alignment to business unit needs
- More savings in total operating costs
Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.
Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?
- Chief security officer (CSO)
- Chief operating officer (COO)
- Chief privacy officer (CPO)
- Chief legal counsel (CLC)
The chief operating officer (COO) is most knowledgeable of business operations and objectives. The chief privacy officer (CPO) and the chief legal counsel (CLC) may not have the knowledge of the day- to-day business operations to ensure proper guidance, although they have the same influence within the organization as the COO. Although the chief security officer (CSO) is knowledgeable of what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.
Which of the following would be the MOST important goal of an information security governance program?
- Review of internal control mechanisms
- Effective involvement in business decision making
- Total elimination of risk factors
- Ensuring trust in data
The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.
Relationships among security technologies are BEST defined through which of the following?
- Security metrics
- Network topology
- Security architecture
- Process improvement models
Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
- Enforce the existing security standard
- Change the standard to permit the deployment
- Perform a risk analysis to quantify the risk
- Perform research to propose use of a better technology
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.
Acceptable levels of information security risk should be determined by:
- legal counsel.
- security management.
- external auditors.
- die steering committee.
Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.
The PRIMARY goal in developing an information security strategy is to:
- establish security metrics and performance monitoring.
- educate business process owners regarding their duties.
- ensure that legal and regulatory requirements are met
- support the business objectives of the organization.
The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.
Senior management commitment and support for information security can BEST be enhanced through:
- a formal security policy sponsored by the chief executive officer (CEO).
- regular security awareness training for employees.
- periodic review of alignment with business management goals.
- senior management signoff on the information security strategy.
Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.
When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?
- Create separate policies to address each regulation
- Develop policies that meet all mandated requirements
- Incorporate policy statements provided by regulators
- Develop a compliance risk assessment
It will be much more efficient to craft all relevant requirements into policies than to create separate versions. Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.
Which of the following MOST commonly falls within the scope of an information security governance steering committee?
- Interviewing candidates for information security specialist positions
- Developing content for security awareness programs
- Prioritizing information security initiatives
- Approving access to critical financial systems
Prioritizing information security initiatives is the only appropriate item. The interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical financial systems is the responsibility of individual system data owners.
Which of the following is the MOST important factor when designing information security architecture?
- Technical platform interfaces
- Scalability of the network
- Development methodologies
- Stakeholder requirements
The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.
Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?
- Knowledge of information technology platforms, networks and development methodologies
- Ability to understand and map organizational needs to security technologies
- Knowledge of the regulatory environment and project management techniques
- Ability to manage a diverse group of individuals and resources across an organization
Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices are important but secondary to meeting business security needs.
Which of the following are likely to be updated MOST frequently?
- Procedures for hardening database servers
- Standards for password length and complexity
- Policies addressing information security governance
- Standards for document retention and destruction
Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.
Who should be responsible for enforcing access rights to application data?
- Data owners
- Business process owners
- The security steering committee
- Security administrators
As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.