Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 07

  1. Which of the following is a benefit of information security governance?

    • Reduction of the potential for civil or legal liability
    • Questioning trust in vendor relationships
    • Increasing the risk of decisions based on incomplete management information
    • Direct involvement of senior management in developing control processes


    Information security governance decreases the risk of civil or legal liability. The remaining answers are incorrect. Option D appears to be correct, but senior management would provide oversight and approval as opposed to direct involvement in developing control processes.

  2. Investment in security technology and processes should be based on:

    • clear alignment with the goals and objectives of the organization.
    • success cases that have been experienced in previous projects.
    • best business practices.
    • safeguards that are inherent in existing technology.

    Organization maturity level for the protection of information is a clear alignment with goals and objectives of the organization. Experience in previous projects is dependent upon other business models which may not be applicable to the current model. Best business practices may not be applicable to the organization’s business needs. Safeguards inherent to existing technology are low cost but may not address all business needs and/or goals of the organization.

  3. The data access requirements for an application should be determined by the:

    • legal department.
    • compliance officer.
    • information security manager.
    • business owner.

    Business owners are ultimately responsible for their applications. The legal department, compliance officer and information security manager all can advise, but do not have final responsibility.

  4. From an information security perspective, information that no longer supports the main purpose of the business should be:

    • analyzed under the retention policy.
    • protected under the information classification policy.
    • analyzed under the backup policy.
    • protected under the business impact analysis (BIA).

    Option A is the type of analysis that will determine whether the organization is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources, and, in the case of sensitive personal information, can increase the risk of data compromise. Options B. C and D are attributes that should be considered in the destruction and retention policy. A BIA could help determine that this information does not support the main objective of the business, but does not indicate the action to take.

  5. The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?

    • Laws and regulations of the country of origin may not be enforceable in the foreign country.
    • A security breach notification might get delayed due to the time difference.
    • Additional network intrusion detection sensors should be installed, resulting in an additional cost.
    • The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

    A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.

  6. Effective IT governance is BEST ensured by:

    • utilizing a bottom-up approach.
    • management by the IT department.
    • referring the matter to the organization’s legal department.
    • utilizing a top-down approach.

    Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility.

  7. The FIRST step to create an internal culture that focuses on information security is to:

    • implement stronger controls.
    • conduct periodic awareness training.
    • actively monitor operations.
    • gain the endorsement of executive management.

    Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.

  8. Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

    • Obtain the support of the board of directors.
    • Improve the content of the information security awareness program.
    • Improve the employees’ knowledge of security policies.
    • Implement logical access controls to the information systems.

    It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (‘ are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program.

  9. When an organization is implementing an information security governance program, its board of directors should be responsible for:

    • drafting information security policies.
    • reviewing training and awareness programs.
    • setting the strategic direction of the program.
    • auditing for compliance.

    A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company’s vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.

  10. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?

    • Acceptance of the business manager’s decision on the risk to the corporation
    • Acceptance of the information security manager’s decision on the risk to the corporation
    • Review of the assessment with executive management for final input
    • A new risk assessment and BIA are needed to resolve the disagreement

    Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.

  11. Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

    • The security officer
    • Senior management
    • The end user
    • The custodian

    Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

  12. An organization’s board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

    • Direct information security on what they need to do
    • Research solutions to determine the proper solutions
    • Require management to report on compliance
    • Nothing; information security does not report to the board

    Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.

  13. Information security should be:

    • focused on eliminating all risks.
    • a balance between technical and business requirements.
    • driven by regulatory requirements.
    • defined by the board of directors.
    Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.
  14. What is the MOST important factor in the successful implementation of an enterprise wide information security program?

    • Realistic budget estimates
    • Security awareness
    • Support of senior management
    • Recalculation of the work factor
    Without the support of senior management, an information security program has little chance of survival. A company’s leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.
  15. What is the MAIN risk when there is no user management representation on the Information Security Steering Committee?

    • Functional requirements are not adequately considered.
    • User training programs may be inadequate.
    • Budgets allocated to business units are not appropriate.
    • Information security plans are not aligned with business requirements
    The steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units.
  16. The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that:

    • the plan aligns with the organization’s business plan.
    • departmental budgets are allocated appropriately to pay for the plan.
    • regulatory oversight requirements are met.
    • the impact of the plan on the business units is reduced.
    The steering committee controls the execution of the information security strategy according to the needs of the organization and decides on the project prioritization and the execution plan. The steering committee does not allocate department budgets for business units. While ensuring that regulatory oversight requirements are met could be a consideration, it is not the main reason for the review. Reducing the impact on the business units is a secondary concern but not the main reason for the review.
  17. Which of the following should be determined while defining risk management strategies?

    • Risk assessment criteria
    • Organizational objectives and risk appetite
    • IT architecture complexity
    • Enterprise disaster recovery plans
    While defining risk management strategies, one needs to analyze the organization’s objectives and risk appetite and define a risk management framework based on this analysis. Some organizations may accept known risks, while others may invest in and apply mitigation controls to reduce risks. Risk assessment criteria would become part of this framework, but only after proper analysis. IT architecture complexity and enterprise disaster recovery plans are more directly related to assessing risks than defining strategies.
  18. When implementing effective security governance within the requirements of the company’s security strategy, which of the following is the MOST important factor to consider?”

    • Preserving the confidentiality of sensitive data
    • Establishing international security standards for data sharing
    • Adhering to corporate privacy standards
    • Establishing system manager responsibility for information security
    The goal of information security is to protect the organization’s information assets. International security standards are situational, depending upon the company and its business. Adhering to corporate privacy standards is important, but those standards must be appropriate and adequate and are not the most important factor to consider. All employees are responsible for information security, but it is not the most important factor to consider.
  19. Which of the following is the BEST reason to perform a business impact analysis (BIA)?

    • To help determine the current state of risk
    • To budget appropriately for needed controls
    • To satisfy regulatory requirements
    • To analyze the effect on the business
    The BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis. Budgeting appropriately may come as a result, but is not the reason to perform the analysis. Performing an analysis may satisfy regulatory requirements, bill is not the reason to perform one. Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response.
  20. Which of the following BEST enables the deployment of consistent security throughout international branches within a multinational organization?

    • Maturity of security processes
    • Remediation of audit findings
    • Decentralization of security governance
    • Establishment of security governance