Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 04

  1. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

    • corporate data privacy policy.
    • data privacy policy where data are collected.
    • data privacy policy of the headquarters’ country.
    • data privacy directive applicable globally.

    As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.

  2. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

    • meet with stakeholders to decide how to comply.
    • analyze key risks in the compliance process.
    • assess whether existing controls meet the regulation.
    • update the existing security/privacy policy.
    If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.
  3. The PRIMARY objective of a security steering group is to:

    • ensure information security covers all business functions.
    • ensure information security aligns with business goals.
    • raise information security awareness across the organization.
    • implement all decisions on security management across the organization.
    The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself. The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary’ goal.
  4. Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

    • baseline.
    • strategy.
    • procedure.
    • policy.
    A policy is a high-level statement of an organization’s beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization. The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by-step process of how policy and standards will be implemented.
  5. At what stage of the applications development process should the security department initially become involved?

    • When requested
    • At testing
    • At programming
    • At detail requirements
    Information security has to be integrated into the requirements of the application’s design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.
  6. A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

    • Examples of genuine incidents at similar organizations
    • Statement of generally accepted best practices
    • Associating realistic threats to corporate objectives
    • Analysis of current technological exposures
    Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
  7. The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

    • generally accepted industry best practices.
    • business requirements.
    • legislative and regulatory requirements.
    • storage availability.
    The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided
  8. When personal information is transmitted across networks, there MUST be adequate controls over:

    • change management.
    • privacy protection.
    • consent to data transfer.
    • encryption devices.
    Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and, therefore, is a partial answer.
  9. An organization’s information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to:

    • ensure that security processes are consistent across the organization.
    • enforce baseline security levels across the organization.
    • ensure that security processes are fully documented.
    • implement monitoring of key performance indicators for security processes.
    The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement. Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement. The organization needs to standardize processes both before documentation, and before monitoring and measurement.
  10. Who in an organization has the responsibility for classifying information?

    • Data custodian
    • Database administrator
    • Information security officer
    • Data owner
    The data owner has full responsibility over data. The data custodian is responsible for securing the information. The database administrator carries out the technical administration. The information security officer oversees the overall classification management of the information.
  11. What is the PRIMARY role of the information security manager in the process of information classification within an organization?

    • Defining and ratifying the classification structure of information assets
    • Deciding the classification levels applied to the organization’s information assets
    • Securing information assets in accordance with their classification
    • Checking if information assets have been classified properly
    Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
  12. Logging is an example of which type of defense against systems compromise?

    • Containment
    • Detection
    • Reaction
    • Recovery
    Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
  13. Which of the following is MOST important in developing a security strategy?

    • Creating a positive business security environment
    • Understanding key business objectives
    • Having a reporting line to senior management
    • Allocating sufficient resources to information security
    Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
  14. Who is ultimately responsible for the organization’s information?

    • Data custodian
    • Chief information security officer (CISO)
    • Board of directors
    • Chief information officer (CIO)
    The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s information.
  15. Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?

    • Alignment with industry best practices
    • Business continuity investment
    • Business benefits
    • Regulatory compliance
    Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
  16. A security manager meeting the requirements for the international flow of personal data will need to ensure:

    • a data processing agreement.
    • a data protection registration.
    • the agreement of the data subjects.
    • subject access procedures.
    Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
  17. An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?

    • Ethics
    • Proportionality
    • Integration
    • Accountability
    Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.
  18. Which of the following is the MOST important prerequisite for establishing information security management within an organization?

    • Senior management commitment
    • Information security framework
    • Information security organizational structure
    • Information security policy
    Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization.
  19. What will have the HIGHEST impact on standard information security governance models?

    • Number of employees
    • Distance between physical locations
    • Complexity of organizational structure
    • Organizational budget
    Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place; hence governance will help in effective management of the organization’s budget.
  20. In order to highlight to management, the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:

    • prepare a security budget.
    • conduct a risk assessment.
    • develop an information security policy.
    • obtain benchmarking information.
    Risk assessment, evaluation and impact analysis will be the starting point for driving management’s attention to information security. All other choices will follow the risk assessment.