




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
CISM - INFORMATION SECURITY GOVERNANCE, STRATEGY, OBJECTIVES & METRICS QUESTIONS AND ANSWERS 100% CORRECT 1. CISM governance strategy objectives metrics practice questions 2. 100% correct CISM information security governance answers 3. CISM exam preparation for governance and strategy domain 4. Information security objectives and metrics for CISM certification 5. CISM study guide for governance and strategy section 6. How to pass CISM governance and strategy questions 7. CISM information security governance best practices 8. CISM exam tips for strategy and objectives questions 9. CISM governance domain sample questions and answers 10. Information security metrics for CISM certification exam 11. CISM strategy and objectives real exam questions 12. CISM governance and strategy domain study materials 13. Information security governance framework for CISM exam 14. CISM exam questions on security metrics and KPIs 15. CISM governance domain key concepts and definitions
Typology: Exams
1 / 119
This page cannot be seen from the preview
Don't miss anything!





























































































the program.: The FIRST step in developing an information security management program is to: identify business risk that affects the organization. establish the need for creating the program. assign responsibility for the program. assess adequacy of existing controls.
More expensive to administer Better adherence to policies More aligned with business unit needs Faster turnaround of requests
More uniformity in quality of service Better adherence to policies Better alignment to business unit needs More savings in total operating costs
Approving access to critical financial systems is the responsibility of indi- vidual system data owners. Domain: Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? Interviewing candidates for information security specialist positions Developing content for security awareness programs Prioritizing information security initiatives Approving access to critical financial systems
Adopting suitable security standards that implement the intent of the poli- cies follows the development of policies that support the strategy. Security baselines are established as a result of determining acceptable risk, which should be defined as a requirement prior to strategy development. Security governance must be developed to meet and support the objectives of the information security strategy. Policies are a primary instrument of governance and must be developed or modified to support the strategy.: While implementing information security governance an organization should FIRST: adopt security standards. determine security baselines. define the security strategy. establish security policies.
be aligned with the corporate business strategy. be based on a sound risk management approach. provide adequate regulatory compliance. provide good practices for security initiatives.
The availability of security training, while beneficial to the overall security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance. Even organizations with little overall governance may be effective in patch- ing systems in a timely manner; this is not an indication of effective gover- nance.: Which of the following would be the BEST indicator of effective information security governance within an organization? The steering committee approves security projects. Security policy training is provided to all managers.
organizational risk. organizationwide metrics. security needs. the responsibilities of organizational units.
mentation of information security governance and can exist even if formal governance is minimal. Information security governance provides the basis for architecture and must be implemented before a security architecture is developed.: Successful implementation of information security governance will FIRST require: security awareness training. updated security policies. a computer incident management team. a security architecture.
Justification A positive security environment (culture) enables successful implementa- tion of the security strategy but is not as important as alignment with business objectives during the development of the strategy. Alignment with business strategy is essential in determining the security needs of the organization; this can only be achieved if key business objec- tives driving the strategy are understood. A reporting line to senior management may be helpful in developing a strat- egy but does not ensure an understanding of business objectives necessary for strategic alignment. Allocation of resources is not likely to be effective if the business objectives are not well understood.: Which of the following is MOST important in developing a security strategy? Creating a positive business security environment Understanding key business objectives Having a reporting line to senior management
Allocating sufficient resources to information security
An acceptable level of risk in an organization is a business decision, not a security decision. External auditors can point out areas of risk but are not in a position to determine what levels of risk the organization is willing to assume. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume.: Acceptable levels of information security risk should be determined by: legal counsel. security management. external auditors. the steering committee.
Justification Directing regulators to a specific person or department is not as effective as performing self-assessments. Self-assessments provide the best feedback on readiness and permit iden- tification of items requiring remediation. Assessing previous regulatory reports is not as effective as performing self-assessments since conditions may have changed. The legal department should review all formal inquiries, but this does not help prepare for a regulatory review.: Which of the following would BEST pre- pare an information security manager for regulatory reviews? Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and reports. Assess previous regulatory reports with process owners input. Ensure all regulatory inquiries are sanctioned by the legal department.