Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 12
Which of the following BEST demonstrates that the objectives of an information security governance framework are being met?
- Risk dashboard
- Key performance indicators (KPIs)
- Penetration test results
- Balanced scorecard
Which of the following would BEST enable integration of information security governance into corporate governance?
- Ensuring appropriate business representation on the information security steering committee
- Using a balanced scorecard to measure the performance of the information security strategy
- Implementing IT governance, risk and compliance (IT GRC) dashboards
- Having the CIO chair the information security steering committee
Which of the following BEST enables effective information security governance?
- Periodic vulnerability assessments
- Established information security metrics
- Advanced security technologies
- Security-aware corporate culture
The PRIMARY reason to classify information assets should be to ensure:
- proper access control.
- senior management buy-in.
- insurance valuation is appropriate.
- proper ownership is established.
Who would be in the BEST position to determine the recovery point objective (RPO) for business applications?
- Business continuity coordinator
- Chief operations officer (COO)
- Information security manager
- Internal audit
The recovery point objective (RPO) is the processing checkpoint to which systems are recovered. In addition to data owners, the chief operations officer (COO) is the most knowledgeable person to make this decision. It would be inappropriate for the information security manager or an internal audit to determine the RPO because they are not directly responsible for the data or the operation.
Which two components PRIMARILY must be assessed in an effective risk analysis?
- Visibility and duration
- Likelihood and impact
- Probability and frequency
- Financial impact and duration
The probability or likelihood of the event and the financial impact or magnitude of the event must be assessed first. Duration refers to the length of the event; it is important in order to assess impact but is secondary. Once the likelihood is determined, the frequency is also important to determine overall impact.
Information security managers should use risk assessment techniques to:
- justify selection of risk mitigation strategies.
- maximize the return on investment (ROD.
- provide documentation for auditors and regulators.
- quantify risks that would otherwise be subjective.
Information security managers should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible. None of the other choices accomplishes that task, although they are important components.
In assessing risk, it is MOST essential to:
- provide equal coverage for all asset types.
- use benchmarking data from similar organizations.
- consider both monetary value and likelihood of loss.
- focus primarily on threats and recent business losses.
A risk analysis should take into account the potential financial impact and likelihood of a loss. It should not weigh all potential losses evenly, nor should it focus primarily on recent losses or losses experienced by similar firms. Although this is important supplementary information, it does not reflect the organization’s real situation. Geography and other factors come into play as well.
When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify:
- the information security steering committee.
- customers who may be impacted.
- data owners who may be impacted.
- regulatory- agencies overseeing privacy.
The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Other parties will be notified later as required by corporate policy and regulatory requirements.
Data owners are PRIMARILY responsible for establishing risk mitigation methods to address which of the following areas?
- Platform security
- Entitlement changes
- Intrusion detection
- Antivirus controls
Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Platform security, intrusion detection and antivirus controls are all within the responsibility of the information security manager.
The PRIMARY goal of a corporate risk management program is to ensure that an organization’s:
- IT assets in key business functions are protected.
- business risks are addressed by preventive controls.
- stated objectives are achievable.
- IT facilities and systems are always available.
Risk management’s primary goal is to ensure an organization maintains the ability to achieve its objectives. Protecting IT assets is one possible goal as well as ensuring infrastructure and systems availability. However, these should be put in the perspective of achieving an organization’s objectives. Preventive controls are not always possible or necessary; risk management will address issues with an appropriate mix of preventive and corrective controls.
It is important to classify and determine relative sensitivity of assets to ensure that:
- cost of protection is in proportion to sensitivity.
- highly sensitive assets are protected.
- cost of controls is minimized.
- countermeasures are proportional to risk.
Classification of assets needs to be undertaken to determine sensitivity of assets in terms of risk to the business operation so that proportional countermeasures can be effectively implemented. While higher costs are allowable to protect sensitive assets, and it is always reasonable to minimize the costs of controls, it is most important that the controls and countermeasures are commensurate to the risk since this will justify the costs. Choice B is important but it is an incomplete answer because it does not factor in risk. Therefore, choice D is the most important.
The service level agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection. In this situation an information security manager should:
- ensure the provider is made liable for losses.
- recommend not renewing the contract upon expiration.
- recommend the immediate termination of the contract.
- determine the current level of security.
It is important to ensure that adequate levels of protection are written into service level agreements (SLAs) and other outsourcing contracts. Information must be obtained from providers to determine how that outsource provider is securing information assets prior to making any recommendation or taking any action in order to support management decision making. Choice A is not acceptable in most situations and therefore not a good answer.
An information security manager has been assigned to implement more restrictive preventive controls. By doing so, the net effect will be to PRIMARILY reduce the:
Implementing more restrictive preventive controls mitigates vulnerabilities but not the threats. Losses and probability of occurrence may not be primarily or directly affected.
When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?
- Evaluate productivity losses
- Assess the impact of confidential data disclosure
- Calculate the value of the information or asset
- Measure the probability of occurrence of each threat
Calculating the value of the information or asset is the first step in a risk analysis process to determine the impact to the organization, which is the ultimate goal. Determining how much productivity could be lost and how much it would cost is a step in the estimation of potential risk process. Knowing the impact if confidential information is disclosed is also a step in the estimation of potential risk. Measuring the probability of occurrence for each threat identified is a step in performing a threat analysis and therefore a partial answer.
Before conducting a formal risk assessment of an organization’s information resources, an information security manager should FIRST:
- map the major threats to business objectives.
- review available sources of risk information.
- identify the value of the critical assets.
- determine the financial impact if threats materialize.
Risk mapping or a macro assessment of the major threats to the organization is a simple first step before performing a risk assessment. Compiling all available sources of risk information is part of the risk assessment. Choices C and D are also components of the risk assessment process, which are performed subsequent to the threats-business mapping.
The valuation of IT assets should be performed by:
- an IT security manager.
- an independent security consultant.
- the chief financial officer (CFO).
- the information owner.
Information asset owners are in the best position to evaluate the value added by the IT asset under review within a business process, thanks to their deep knowledge of the business processes and of the functional IT requirements. An IT security manager is an expert of the IT risk assessment methodology and IT asset valuation mechanisms. However, the manager could not have a deep understanding of all the business processes of the firm. An IT security subject matter expert will take part of the process to identify threats and vulnerabilities and will collaborate with the business information asset owner to define the risk profile of the asset. A chief financial officer (CFO) will have an overall costs picture but not detailed enough to evaluate the value of each IT asset.
The PRIMARY objective of a risk management program is to:
- minimize inherent risk.
- eliminate business risk.
- implement effective controls.
- minimize residual risk.
The goal of a risk management program is to ensure that residual risk remains within manageable levels. Management of risk does not always require the removal of inherent risk nor is this always possible. A possible benefit of good risk management is to reduce insurance premiums, but this is not its primary intention. Effective controls are naturally a clear objective of a risk management program, but with the choices given, choice C is an incomplete answer.
After completing a full IT risk assessment, who can BEST decide which mitigating controls should be implemented?
- Senior management
- Business manager
- IT audit manager
- Information security officer (ISO)
The business manager will be in the best position, based on the risk assessment and mitigation proposals. to decide which controls should/could be implemented, in line with the business strategy and with budget. Senior management will have to ensure that the business manager has a clear understanding of the risk assessed but in no case will be in a position to decide on specific controls. The IT audit manager will take part in the process to identify threats and vulnerabilities, and to make recommendations for mitigations. The information security officer (ISO) could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and full control over the budget and, therefore, will be in a better position to make strategic decisions.
When performing an information risk analysis, an information security manager should FIRST:
- establish the ownership of assets.
- evaluate the risks to the assets.
- take an asset inventory.
- categorize the assets.
Assets must be inventoried before any of the other choices can be performed.