Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 06

  1. An information security manager must understand the relationship between information security and business operations in order to:

    • support organizational objectives.
    • determine likely areas of noncompliance.
    • assess the possible impacts of compromise.
    • understand the threats to the business.


    Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.

  2. The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to:

    • escalate issues to an external third party for resolution.
    • ensure that senior management provides authority for security to address the issues.
    • insist that managers or units not in agreement with the security solution accept the risk.
    • refer the issues to senior management along with any security recommendations.

    Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations. Units should not be asked to accept the risk without first receiving input from senior management.

  3. Obtaining senior management support for establishing a warm site can BEST be accomplished by:

    • establishing a periodic risk assessment.
    • promoting regulatory requirements.
    • developing a business case.
    • developing effective metrics.

    Business case development, including a cost-benefit analysis, will be most persuasive to management. A risk assessment may be included in the business ease, but by itself will not be as effective in gaining management support. Informing management of regulatory requirements may help gain support for initiatives, but given that more than half of all organizations are not in compliance with regulations, it is unlikely to be sufficient in many cases. Good metrics which provide assurance that initiatives are meeting organizational goals will also be useful, but are insufficient in gaining management support.

  4. Which of the following would be the BEST option to improve accountability for a system administrator who has security functions?

    • Include security responsibilities in the job description
    • Require the administrator to obtain security certification
    • Train the system administrator on penetration testing and vulnerability assessment
    • Train the system administrator on risk assessment

    The first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.

  5. Which of the following is the MOST important element of an information security strategy?

    • Defined objectives
    • Time frames for delivery
    • Adoption of a control framework
    • Complete policies

    Without defined objectives, a strategy — the plan to achieve objectives — cannot be developed. Time frames for delivery are important but not critical for inclusion in the strategy document. Similarly, the adoption of a control framework is not critical to having a successful information security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy.

  6. A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program?

    • Representation by regional business leaders
    • Composition of the board
    • Cultures of the different countries
    • IT security skills

    Culture has a significant impact on how information security will be implemented. Representation by regional business leaders may not have a major influence unless it concerns cultural issues. Composition of the board may not have a significant impact compared to cultural issues. IT security skills are not as key or high impact in designing a multinational information security program as would be cultural issues.

  7. Which of the following is the BEST justification to convince management to invest in an information security program?

    • Cost reduction
    • Compliance with company policies
    • Protection of business assets
    • Increased business value

    Investing in an information security program should increase business value and confidence. Cost reduction by itself is rarely the motivator for implementing an information security program. Compliance is secondary to business value. Increasing business value may include protection of business assets.

  8. On a company’s e-commerce web site, a good legal statement regarding data privacy should include:

    • a statement regarding what the company will do with the information it collects.
    • a disclaimer regarding the accuracy of information on its web site.
    • technical information regarding how information is protected.
    • a statement regarding where the information is being hosted.

    Most privacy laws and regulations require disclosure on how information will be used. A disclaimer is not necessary since it does not refer to data privacy. Technical details regarding how information is protected are not mandatory to publish on the web site and in fact would not be desirable. It is not mandatory to say where information is being hosted.

  9. The MOST important factor in ensuring the success of an information security program is effective:

    • communication of information security requirements to all users in the organization.
    • formulation of policies and procedures for information security.
    • alignment with organizational goals and objectives.
    • monitoring compliance with information security policies and procedures.

    The success of security programs is dependent upon alignment with organizational goals and objectives. Communication is a secondary step. Effective communication and education of users is a critical determinant of success but alignment with organizational goals and objectives is the most important factor for success. Mere formulation of policies without effective communication to users will not ensure success. Monitoring compliance with information security policies and procedures can be, at best, a detective mechanism that will not lead to success in the midst of uninformed users.

  10. Which of the following would be MOST helpful to achieve alignment between information security and organization objectives?

    • Key control monitoring
    • A robust security awareness program
    • A security program that enables business activities
    • An effective security architecture

    A security program enabling business activities would be most helpful to achieve alignment between information security and organization objectives. All of the other choices are part of the security program and would not individually and directly help as much as the security program.

  11. Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept?

    • Continuous analysis, monitoring and feedback
    • Continuous monitoring of the return on security investment (ROSD
    • Continuous risk reduction
    • Key risk indicator (KRD setup to security management processes

    To improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity. Return on security investment (ROSD may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity. Key risk indicator (KRD setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.

  12. The MOST complete business case for security solutions is one that.

    • includes appropriate justification.
    • explains the current risk profile.
    • details regulatory requirements.
    • identifies incidents and losses.

    Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.

  13. Which of the following is MOST important to understand when developing a meaningful information security strategy?

    • Regulatory environment
    • International security standards
    • Organizational risks
    • Organizational goals

    Alignment of security with business objectives requires an understanding of what an organization is trying to accomplish. The other choices are all elements that must be considered, but their importance is secondary and will vary depending on organizational goals.

  14. Which of the following is the BEST advantage of a centralized information security organizational structure?

    • It allows for a common level of assurance across the enterprise.
    • It is easier to manage and control business unit security teams.
    • It is more responsive to business unit needs.
    • It provides a faster turnaround for security waiver requests.

    It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation.

  15. Which of the following would help to change an organization’s security culture?

    • Develop procedures to enforce the information security policy
    • Obtain strong management support
    • Implement strict technical security controls
    • Periodically audit compliance with the information security policy

    Management support and pressure will help to change an organization’s culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company.

  16. The BEST way to justify the implementation of a single sign-on (SSO) product is to use:

    • return on investment (ROD.
    • a vulnerability assessment.
    • annual loss expectancy (ALE).
    • a business case.

    A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management. Return on investment (ROD would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning. A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits. Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.

  17. The FIRST step in establishing a security governance program is to:

    • conduct a risk assessment.
    • conduct a workshop for all end users.
    • prepare a security budget.
    • obtain high-level sponsorship.

    The establishment of a security governance program is possible only with the support and sponsorship of top management since security governance projects are enterprise wide and integrated into business processes. Conducting a risk assessment, conducting a workshop for all end users and preparing a security budget all follow once high-level sponsorship is obtained.

  18. An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

    • conflicting security controls with organizational needs.
    • strong protection of information resources.
    • implementing appropriate controls to reduce risk.
    • proving information security’s protective abilities.

    The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection; it is poorly configured. Implementing appropriate controls to reduce risk is not an appropriate control as it is being used. This does not prove the ability to protect, but proves the ability to interfere with business.

  19. An organization’s information security strategy should be based on:

    • managing risk relative to business objectives.
    • managing risk to a zero level and minimizing insurance premiums.
    • avoiding occurrence of risks so that insurance is not required.
    • transferring most risks to insurers and saving on control costs.

    Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.

  20. Which of the following should be included in an annual information security budget that is submitted for management approval?

    • A cost-benefit analysis of budgeted resources
    • All of the resources that are recommended by the business
    • Total cost of ownership (TCO)
    • Baseline comparisons

    A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TCO may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.