Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 03

  1. The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

    • head of internal audit.
    • chief operations officer (COO).
    • chief technology officer (CTO).
    • legal counsel.

    The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO’s goals for the infrastructure might, at times, run counter to the goals of information security.

  2. Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

    • Update platform-level security settings
    • Conduct disaster recovery test exercises
    • Approve access to critical financial systems
    • Develop an information security strategy paper
    Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.
  3. Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

    • assessing the frequency of incidents.
    • quantifying the cost of control failures.
    • calculating return on investment (ROI) projections.
    • comparing spending against similar organizations.
    Calculating the return on investment (ROI) will most closely align security with the impact on the bottom line. Frequency and cost of incidents are factors that go into determining the impact on the business but, by themselves, are insufficient. Comparing spending against similar organizations can be problematic since similar organizations may have different business goals and appetites for risk.
  4. When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

    • aligned with the IT strategic plan.
    • based on the current rate of technological change.
    • three-to-five years for both hardware and software.
    • aligned with the business strategy.
    Any planning for information security should be properly aligned with the needs of the business. Technology should not come before the needs of the business, nor should planning be done on an artificial timetable that ignores business needs.
  5. Which of the following is the MOST important information to include in a strategic plan for information security?

    • Information security staffing requirements
    • Current state and desired future state
    • IT capital investment requirements
    • information security mission statement
    It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.
  6. Information security projects should be prioritized on the basis of:

    • time required for implementation.
    • impact on the organization.
    • total cost for implementation.
    • mix of resources required.
    Information security projects should be assessed on the basis of the positive impact that they will have on the organization. Time, cost and resource issues should be subordinate to this objective.
  7. Which of the following is the MOST important information to include in an information security standard?

    • Creation date
    • Author name
    • Initial draft approval date
    • Last review date
    The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard. The name of the author as well as the creation and draft dates are not that important.
  8. Which of the following would BEST prepare an information security manager for regulatory reviews?

    • Assign an information security administrator as regulatory liaison
    • Perform self-assessments using regulatory guidelines and reports
    • Assess previous regulatory reports with process owners input
    • Ensure all regulatory inquiries are sanctioned by the legal department
    Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but this does not help prepare for a regulatory review.
  9. An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

    • bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
    • establish baseline standards for all locations and add supplemental standards as required.
    • bring all locations into conformity with a generally accepted set of industry best practices.
    • establish a baseline standard incorporating those requirements that all jurisdictions have in common.
    It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approach—forcing all locations to be in compliance with the regulations places an undue burden on those locations.
  10. Which of the following BEST describes an information security manager’s role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

    • Ensure that all IT risks are identified
    • Evaluate the impact of information security risks
    • Demonstrate that IT mitigating controls are in place
    • Suggest new IT controls to mitigate operational risk
    The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.
  11. From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?

    • Enhanced policy compliance
    • Improved procedure flows
    • Segregation of duties
    • Better accountability
    Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.
  12. An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

    • Security metrics reports
    • Risk assessment reports
    • Business impact analysis (BIA)
    • Return on security investment report
    Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
  13. Reviewing which of the following would BEST ensure that security controls are effective?

    • Risk assessment policies
    • Return on security investment
    • Security metrics
    • User access rights
    Reviewing security metrics provides senior management a snapshot view and trends of an organization’s security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
  14. Which of the following is responsible for legal and regulatory liability?

    • Chief security officer (CSO)
    • Chief legal counsel (CLC)
    • Board and senior management
    • Information security steering group
    The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
  15. While implementing information security governance an organization should FIRST:

    • adopt security standards.
    • determine security baselines.
    • define the security strategy.
    • establish security policies.
    The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.
  16. The MOST basic requirement for an information security governance program is to:

    • be aligned with the corporate business strategy.
    • be based on a sound risk management approach.
    • provide adequate regulatory compliance.
    • provide best practices for security- initiatives.
    To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.
  17. Information security policy enforcement is the responsibility of the:

    • security steering committee.
    • chief information officer (CIO).
    • chief information security officer (CISO).
    • chief compliance officer (CCO).
    Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.
  18. A good privacy statement should include:

    • notification of liability on accuracy of information.
    • notification that information will be encrypted.
    • what the company will do with information it collects.
    • a description of the information classification process.
    Most privacy laws and regulations require disclosure on how information will be used. Choice A is incorrect because that information should be located in the web site’s disclaimer. Choice B is incorrect because, although encryption may be applied, this is not generally disclosed. Choice D is incorrect because information classification would be contained in a separate policy.
  19. Which of the following would be MOST effective in successfully implementing restrictive password policies?

    • Regular password audits
    • Single sign-on system
    • Security awareness program
    • Penalties for noncompliance
    To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.
  20. When designing an information security quarterly report to management, the MOST important element to be considered should be the:

    • information security metrics.
    • knowledge required to analyze each issue.
    • linkage to business area objectives.
    • baseline against which metrics are evaluated.
    The link to business objectives is the most important clement that would be considered by management. Information security metrics should be put in the context of impact to management objectives. Although important, the security knowledge required would not be the first element to be considered. Baselining against the information security metrics will be considered later in the process.