CISM : Certified Information Security Manager : Part 05

  1. Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:

    • it implies compliance risks.
    • short-term impact cannot be determined.
    • it violates industry security practices.
    • changes in the roles matrix cannot be detected.

    Monitoring processes are also required to guarantee fulfillment of laws and regulations of the organization and, therefore, the information security manager will be obligated to comply with the law. Choices B and C are evaluated as part of the operational risk. Choice D is unlikely to be as critical a breach of regulatory legislation. The acceptance of operational risks overrides choices B, C and D.

  2. An outcome of effective security governance is:

    • business dependency assessment
    • strategic alignment.
    • risk assessment.
    • planning.
    Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.
  3. How would an information security manager balance the potentially conflicting requirements of an international organization’s security standards and local regulation?

    • Give organization standards preference over local regulations
    • Follow local regulations only
    • Make the organization aware of those standards where local regulations causes conflicts
    • Negotiate a local version of the organization standards
    Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since there needs to be some recognition of organization requirements. Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation.
  4. Who should drive the risk analysis for an organization?

    • Senior management
    • Security manager
    • Quality manager
    • Legal department
    Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.
  5. The FIRST step in developing an information security management program is to:

    • identify business risks that affect the organization.
    • clarify organizational purpose for creating the program.
    • assign responsibility for the program.
    • assess adequacy of controls to mitigate business risks.
    In developing an information security management program, the first step is to clarify the organization’s purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.
  6. Which of the following is the MOST important to keep in mind when assessing the value of information?

    • The potential financial loss
    • The cost of recreating the information
    • The cost of insurance coverage
    • Regulatory requirement
    The potential for financial loss is always a key factor when assessing the value of information. Choices B, C and D may be contributors, but not the key factor.
  7. What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

    • Risk assessment report
    • Technical evaluation report
    • Business case
    • Budgetary requirements
    The information security manager needs to prioritize the controls based on risk management and the requirements of the organization. The information security manager must look at the costs of the various controls and compare them against the benefit the organization will receive from the security solution. The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits of the various controls. All other choices are supplemental.
  8. To justify its ongoing security budget, which of the following would be of MOST use to the information security’ department?

    • Security breach frequency
    • Annualized loss expectancy (ALE)
    • Cost-benefit analysis
    • Peer group comparison
    Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.
  9. Which of the following situations would MOST inhibit the effective implementation of security governance?

    • The complexity of technology
    • Budgetary constraints
    • Conflicting business priorities
    • High-level sponsorship
    The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance. Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.
  10. What would be the MOST significant security risks when using wireless local area network (LAN) technology?

    • Man-in-the-middle attack
    • Spoofing of data packets
    • Rogue access point
    • Session hijacking
    A rogue access point masquerades as a legitimate access point. The risk is that legitimate users may connect through this access point and have their traffic monitored. All other choices are not dependent on the use of a wireless local area network (LAN) technology.
  11. To achieve effective strategic alignment of security initiatives, it is important that:

    • Steering committee leadership be selected by rotation.
    • Inputs be obtained and consensus achieved between the major organizational units.
    • The business strategy be updated periodically.
    • Procedures and standards be approved by all departmental heads.
    It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization. Rotation of steering committee leadership does not help in achieving strategic alignment. Updating business strategy does not lead to strategic alignment of security initiatives. Procedures and standards need not be approved by all departmental heads
  12. When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified?

    • Business management
    • Operations manager
    • Information security manager
    • System users
    The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. Choices A, B and D would be notified accordingly.
  13. In implementing information security governance, the information security manager is PRIMARILY responsible for:

    • developing the security strategy.
    • reviewing the security strategy.
    • communicating the security strategy.
    • approving the security strategy
    The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.
  14. An information security strategy document that includes specific links to an organization’s business activities is PRIMARILY an indicator of:

    • performance measurement.
    • integration.
    • alignment.
    • value delivery.
    Strategic alignment of security with business objectives is a key indicator of performance measurement. In guiding a security program, a meaningful performance measurement will also rely on an understanding of business objectives, which will be an outcome of alignment. Business linkages do not by themselves indicate integration or value delivery. While alignment is an important precondition, it is not as important an indicator.
  15. When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

    • Compliance with international security standards.
    • Use of a two-factor authentication system.
    • Existence of an alternate hot site in case of business disruption.
    • Compliance with the organization’s information security requirements.

    Prom a security standpoint, compliance with the organization’s information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization’s security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third- party service providers.

  16. To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

    • review the functionalities and implementation requirements of the solution.
    • review comparison reports of tool implementation in peer companies.
    • provide examples of situations where such a tool would be useful.
    • substantiate the investment in meeting organizational needs.

    Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that comes after substantiating the investment and return on investment to the organization.

  17. The MOST useful way to describe the objectives in the information security strategy is through:

    • attributes and characteristics of the ‘desired state.”
    • overall control objectives of the security program.
    • mapping the IT systems to key business processes.
    • calculation of annual loss expectations.

    Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.

  18. In order to highlight to management, the importance of network security, the security manager should FIRST:

    • develop a security architecture.
    • install a network intrusion detection system (NIDS) and prepare a list of attacks.
    • develop a network security policy.
    • conduct a risk assessment.

    A risk assessment would be most helpful to management in understanding at a very high level the threats, probabilities and existing controls. Developing a security architecture, installing a network intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a network security policy would not be as effective in highlighting the importance to management and would follow only after performing a risk assessment.

  19. When developing an information security program, what is the MOST useful source of information for determining available resources?

    • Proficiency test
    • Job descriptions
    • Organization chart
    • Skills inventory

    A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.

  20. The MOST important characteristic of good security policies is that they:

    • state expectations of IT management.
    • state only one general security mandate.
    • are aligned with organizational goals.
    • govern the creation of procedures and guidelines.

    The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards.

Notify of
Inline Feedbacks
View all comments