Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 10
When an organization and its IT-hosting service provider are establishing a contract with each other, it is MOST important that the contract includes:
- details of expected security metrics.
- each party’s security responsibilities.
- penalties for noncompliance with security policy.
- recovery time objectives (RTOs).
It’s very important when organization start work with third party before signing the SLA negotiate the company current security needs and new security risk.
Which of the following would be MOST useful to help senior management understand the status of information security compliance?
- Industry benchmarks
- Risk assessment results
- Business impact analysis (BIA) results
- Key performance indicators (KPIs)
Which of the following is MOST likely to be included in an enterprise information security policy?
- Security monitoring strategy
- Audit trail review requirements
- Password composition requirements
- Consequences of noncompliance
Which of the following BEST demonstrates that an organization supports information security governance?
- Employees attend annual organization-wide security training.
- Information security policies are readily available to employees.
- The incident response plan is documented and tested regularly.
- Information security steering committee meetings are held regularly.
Which of the following should be the PRIMARY expectation of management when an organization introduces an information security governance framework?
- Optimized information security resources
- Consistent execution of information security strategy
- Improved accountability to shareholders
- Increased influence of security management
Which of the following is the BEST approach for an information security manager when developing new information security policies?
- Create a stakeholder map.
- Reference an industry standard.
- Establish an information security governance committee.
- Download a policy template.
When supporting a large corporation’s board of directors in the development of governance, which of the following is the PRIMARY function of the information security manager?
- Gaining commitment of senior management
- Preparing the security budget
- Providing advice and guidance
- Developing a balanced scorecard
When making an outsourcing decision, which of the following functions is MOST important to retain within the organization?
- Security management
- Incident response
- Risk assessment
- Security governance
Which of the following would be MOST important to consider when implementing security settings for a new system?
- Results from internal and external audits
- Government regulations and related penalties
- Business objectives and related IT risk
- Industry best practices applicable to the business
The MOST important outcome of information security governance is:
- business risk avoidance.
- informed decision making.
- alignment with business goals.
- alignment with compliance requirements.
Senior management commitment and support will MOST likely be offered when the value of information security governance is presented from a:
- threat perspective.
- compliance perspective.
- risk perspective.
- policy perspective.
Within a security governance framework, which of the following is the MOST important characteristic of the information security committee? The committee:
- conducts frequent reviews of the security policy
- has established relationships with external professionals
- has a clearly defined charter and meeting protocols
- includes a mix of members from all levels of management
Which of the following is MOST important to the successful implementation of an information security governance framework across the organization?
- Organizational security controls deployed in line with regulations
- Security management processes aligned with security objectives
- The existing organizational security culture
- Security policies that adhere to industry best practices
Which of the following is the MOST effective way to achieve the integration of information security governance into corporate governance?
- Align information security budget requests to organizational goals
- Ensure information security efforts support business goals
- Provide periodic IT balanced scorecards to senior management
- Ensure information security aligns with IT strategy
To gain a clear understanding of the impact that a new regulatory requirement will have on an organization’s information security controls, an information security manager should FIRST:
- interview senior management
- conduct a risk assessment
- conduct a cost-benefit analysis
- perform a gap analysis
The PRIMARY purpose of implementing information security governance metrics is to:
- measure alignment with best practices.
- assess operational and program metrics.
- refine control operations,
- guide security towards the desired state.
Which of the following MOST effectively helps an organization to align information security governance with corporate governance?
- Promoting security as enabler to achieve business objectives
- Prioritizing security initiatives based on IT strategy
- Adopting global security standards to achieve business goals
- Developing security performance metrics
Which of the following is MOST helpful for aligning security operations with the IT governance framework?
- Information security policy
- Security risk assessment
- Security operations program
- Business impact analysis (BIA)
Which of the following is the BEST approach for an information security manager to effectively manage third-party risk?
- Ensure controls are implemented to address changes in risk.
- Ensure senior management has approved the vendor relationship.
- Ensure risk management efforts are commensurate with risk exposure.
- Ensure vendor governance controls are in place.
When trying to integrate information security across an organization, the MOST important goal for a governing body should be to ensure:
- the resources used for information security projects are kept to a minimum.
- information security is treated as a business critical issue.
- funding is approved for requested information security projects.
- periodic information security audits are conducted.