CISM : Certified Information Security Manager : Part 08

  1. Which of the following is the BEST way to determine if an information security program aligns with corporate governance?

    • Evaluate funding for security initiatives
    • Survey end users about corporate governance
    • Review information security policies
    • Review the balanced scorecard

    Explanation:
    One of the most important aspects of the action plan to execute the strategy is to create or modify, as needed, policies and standards. Policies are one of the primary elements of governance and each policy should state only one general security mandate. The road map should show the steps and the sequence, dependencies, and milestones.

  2. Security governance is MOST associated with which of the following IT infrastructure components?

    • Network
    • Application
    • Platform
    • Process
  3. Which of the following is the PRIMARY advantage of having an established information security governance framework in place when an organization is adopting emerging technologies?

    • An emerging technologies strategy is in place
    • An effective security risk management process is established
    • End user acceptance of emerging technologies is established
    • A cost-benefit analysis process is easier to perform
  4. Which of the following is the MOST appropriate board-level activity for information security governance?

    • Establish security and continuity ownership
    • Develop “what-if” scenarios on incidents
    • Establish measures for security baselines
    • Include security in job-performance appraisals
  5. Business units within an organization are resistant to proposed changes to the information security program. Which of the following is the BEST way to address this issue?

    • Implementing additional security awareness training
    • Communicating critical risk assessment results to business unit managers
    • Including business unit representation on the security steering committee
    • Publishing updated information security policies
  6. In addition to business alignment and security ownership, which of the following is MOST critical for information security governance?

    • Auditability of systems
    • Compliance with policies
    • Reporting of security metrics
    • Executive sponsorship
  7. Senior management has allocated funding to each of the organization’s divisions to address information security vulnerabilities. The funding is based on each division’s technology budget from the previous fiscal year. Which of the following should be of GREATEST concern to the information security manager?

    • Areas of highest risk may not be adequately prioritized for treatment
    • Redundant controls may be implemented across divisions
    • Information security governance could be decentralized by division
    • Return on investment may be inconsistently reported to senior management
  8. The effectiveness of an information security governance framework will BEST be enhanced if:

    • IS auditors are empowered to evaluate governance activities
    • risk management is built into operational and strategic activities
    • a culture of legal and regulatory compliance is promoted by management
    • consultants review the information security governance framework
  9. When developing an information security governance framework, which of the following would be the MAIN impact when lacking senior management involvement?

    • Accountability for risk treatment is not clearly defined.
    • Information security responsibilities are not communicated effectively.
    • Resource requirements are not adequately considered.
    • Information security plans do not support business requirements.
  10. Which of the following is the BEST way to facilitate the alignment between an organization’s information security program and business objectives?

    • Information security is considered at the feasibility stage of all IT projects.
    • The information security governance committee includes representation from key business areas.
    • The chief executive officer reviews and approves the information security program.
    • The information security program is audited by the internal audit department.
  11. The effectiveness of the information security process is reduced when an outsourcing organization:

    • is responsible for information security governance activities
    • receives additional revenue when security service levels are met
    • incurs penalties for failure to meet security service-level agreements
    • standardizes on a single access-control software product
  12. What should be an information security manager’s FIRST course of action when an organization is subject to a new regulatory requirement?

    • Perform a gap analysis
    • Complete a control assessment
    • Submit a business case to support compliance
    • Update the risk register
  13. Internal audit has reported a number of information security issues which are not in compliance with regulatory requirements. What should the information security manager do FIRST?

    • Create a security exception
    • Perform a vulnerability assessment
    • Perform a gap analysis to determine needed resources
    • Assess the risk to business operations
  14. Which of the following is the MOST important reason for an organization to develop an information security governance program?

    • Establishment of accountability
    • Compliance with audit requirements
    • Monitoring of security incidents
    • Creation of tactical solutions
  15. The PRIMARY purpose of aligning information security with corporate governance objectives is to:

    • build capabilities to improve security processes.
    • consistently manage significant areas of risk.
    • identify an organization’s tolerance for risk.
    • re-align roles and responsibilities.
  16. Which of the following is the MOST important consideration for designing an effective information security governance framework?

    • Defined security metrics
    • Continuous audit cycle
    • Security policy provisions
    • Security controls automation
  17. The PRIMARY goal of information security governance to an organization is to:

    • align with business processes
    • align with business objectives
    • establish a security strategy
    • manage security costs
  18. Which of the following is the BEST way to integrate information security into corporate governance?

    • Engage external security consultants in security initiatives.
    • Conduct comprehensive information security management training for key stakeholders.
    • Ensure information security processes are part of the existing management processes.
    • Require periodic security risk assessments be performed.
  19. Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework?

    • Integrating security requirements with processes
    • Performing security assessments and gap analysis
    • Conducting a business impact analysis (BIA)
    • Conducting information security awareness training
  20. Which of the following BEST demonstrates alignment between information security governance and corporate governance?

    • Average number of security incidents across business units
    • Security project justifications provided in terms of business value
    • Number of vulnerabilities identified for high-risk information assets
    • Mean time to resolution for enterprise-wide security incidents