CISM - INFORMATION SECURITY GOVERNANCE, STRATEGY, OBJECTIVES & METRICS Q AND A, Exams of Information Security and Markup Languages

CISM - INFORMATION SECURITY GOVERNANCE, STRATEGY, OBJECTIVES & METRICS QUESTIONS AND ANSWERS 100% CORRECT 1. CISM governance strategy objectives metrics practice questions 2. 100% correct CISM information security governance answers 3. CISM exam preparation for governance and strategy domain 4. Information security objectives and metrics for CISM certification 5. CISM study guide for governance and strategy section 6. How to pass CISM governance and strategy questions 7. CISM information security governance best practices 8. CISM exam tips for strategy and objectives questions 9. CISM governance domain sample questions and answers 10. Information security metrics for CISM certification exam 11. CISM strategy and objectives real exam questions 12. CISM governance and strategy domain study materials 13. Information security governance framework for CISM exam 14. CISM exam questions on security metrics and KPIs 15. CISM governance domain key concepts and definitions

Typology: Exams

2024/2025

Available from 08/31/2025

Prof.Steve
Prof.Steve 🇺🇸

2

(1)

880 documents

1 / 119

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1 / 59
CISM - INFORMATION SECURITY GOVERNANCE,
STRATEGY, OBJECTIVES & METRICS QUESTIONS AND
ANSWERS 100% CORRECT
1. B is the correct answer.
Justification
The task of identifying business risk that affects the
organization is assigned and acted on after establishing the
need for creating the program.
In developing an information security management program,
the first step is to establish the need for creating the program.
This is a business decision based more on judgment than on
any specific quantitative measures. The other choices are
assigned and acted on after establishing the need.
The task of assigning responsibility for the program is assigned
and acted on after establishing the need for creating the
program.
The task of assessing the adequacy of existing controls is
assigned and acted on after establishing the need for creating
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download CISM - INFORMATION SECURITY GOVERNANCE, STRATEGY, OBJECTIVES & METRICS Q AND A and more Exams Information Security and Markup Languages in PDF only on Docsity!

CISM - INFORMATION SECURITY GOVERNANCE,

STRATEGY, OBJECTIVES & METRICS QUESTIONS AND

ANSWERS 100% CORRECT

  1. B is the correct answer. Justification The task of identifying business risk that affects the organization is assigned and acted on after establishing the need for creating the program. In developing an information security management program, the first step is to establish the need for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. The other choices are assigned and acted on after establishing the need. The task of assigning responsibility for the program is assigned and acted on after establishing the need for creating the program. The task of assessing the adequacy of existing controls is assigned and acted on after establishing the need for creating

the program.: The FIRST step in developing an information security management program is to: identify business risk that affects the organization. establish the need for creating the program. assign responsibility for the program. assess adequacy of existing controls.

  1. B is the correct answer. Justification Centralized information security management is generally less expensive to administer due to the economies of scale. Centralization of information security management results in greater unifor- mity and better adherence to security policies. With centralized information security management, information security is typically less responsive to specific business unit needs. With centralized information security management, turnaround can be slow- er due to greater separation and more bureaucracy between the information security department and end users.: Which of the following is characteristic

More expensive to administer Better adherence to policies More aligned with business unit needs Faster turnaround of requests

  1. C is the correct answer. Justification Uniformity in quality of service tends to vary from unit to unit. Adherence to policies is likely to vary considerably between various busi- ness units. Decentralization of information security management generally results in better alignment to business unit needs because security management is closer to the end user. Decentralization of information security management is generally more ex- pensive to administer due to the lack of economies of scale.: Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

More uniformity in quality of service Better adherence to policies Better alignment to business unit needs More savings in total operating costs

  1. C is the correct answer. Justification The number of employees has little or no effect on standard information security governance models. The distance between physical locations has little or no effect on standard information security governance models. Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, lead-

Approving access to critical financial systems is the responsibility of indi- vidual system data owners. Domain: Which of the following activities MOST commonly falls within the scope of an information security governance steering committee? Interviewing candidates for information security specialist positions Developing content for security awareness programs Prioritizing information security initiatives Approving access to critical financial systems

  1. C is the correct answer. Justification

Adopting suitable security standards that implement the intent of the poli- cies follows the development of policies that support the strategy. Security baselines are established as a result of determining acceptable risk, which should be defined as a requirement prior to strategy development. Security governance must be developed to meet and support the objectives of the information security strategy. Policies are a primary instrument of governance and must be developed or modified to support the strategy.: While implementing information security governance an organization should FIRST: adopt security standards. determine security baselines. define the security strategy. establish security policies.

  1. A is the correct answer.

be aligned with the corporate business strategy. be based on a sound risk management approach. provide adequate regulatory compliance. provide good practices for security initiatives.

  1. A is the correct answer. Justification The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. To en- sure that all stakeholders impacted by security considerations are involved, many organizations use a steering committee comprised of senior represen- tatives of affected groups. This composition helps to achieve consensus on priorities and trade-offs and serves as an effective communication channel for ensuring the alignment of the security program with business objectives. Security policy training is important at all levels of the organization and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee to ensure all parts of the organization are aware of the policies.

The availability of security training, while beneficial to the overall security program, does not ensure that employees are following the program and have the required level of awareness without a process to enforce awareness and compliance. Even organizations with little overall governance may be effective in patch- ing systems in a timely manner; this is not an indication of effective gover- nance.: Which of the following would be the BEST indicator of effective information security governance within an organization? The steering committee approves security projects. Security policy training is provided to all managers.

organizational risk. organizationwide metrics. security needs. the responsibilities of organizational units.

  1. B is the correct answer. Justification Security awareness training will promote the security policies, procedures and appropriate use of the security mechanisms but will not precede infor- mation security governance implementation. Updated security policies are required to align management business ob- jectives with security processes and procedures. Management objectives translate into policy; policy translates into standards and procedures. An incident management team will not be the first requirement for the imple-

mentation of information security governance and can exist even if formal governance is minimal. Information security governance provides the basis for architecture and must be implemented before a security architecture is developed.: Successful implementation of information security governance will FIRST require: security awareness training. updated security policies. a computer incident management team. a security architecture.

  1. D is the correct answer. Justification Organizational standards must be subordinate to local regulations. It would be incorrect to follow local regulations only because there must be recognition of organizational requirements. Making an organization aware of standards is a sensible step

Justification A positive security environment (culture) enables successful implementa- tion of the security strategy but is not as important as alignment with business objectives during the development of the strategy. Alignment with business strategy is essential in determining the security needs of the organization; this can only be achieved if key business objec- tives driving the strategy are understood. A reporting line to senior management may be helpful in developing a strat- egy but does not ensure an understanding of business objectives necessary for strategic alignment. Allocation of resources is not likely to be effective if the business objectives are not well understood.: Which of the following is MOST important in developing a security strategy? Creating a positive business security environment Understanding key business objectives Having a reporting line to senior management

Allocating sufficient resources to information security

  1. B is the correct answer. Justification Technical vulnerabilities as a component of risk will be most relevant in the context of threats to achieving the business objectives defined in the business strategy. An information security manager needs to gain an understanding of the current business strategy and direction to understand the organization's ob- jectives and the impact of the other answers on achieving those objectives. A business impact analysis should be performed prior to developing a

An acceptable level of risk in an organization is a business decision, not a security decision. External auditors can point out areas of risk but are not in a position to determine what levels of risk the organization is willing to assume. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume.: Acceptable levels of information security risk should be determined by: legal counsel. security management. external auditors. the steering committee.

  1. B is the correct answer.

Justification Directing regulators to a specific person or department is not as effective as performing self-assessments. Self-assessments provide the best feedback on readiness and permit iden- tification of items requiring remediation. Assessing previous regulatory reports is not as effective as performing self-assessments since conditions may have changed. The legal department should review all formal inquiries, but this does not help prepare for a regulatory review.: Which of the following would BEST pre- pare an information security manager for regulatory reviews? Assign an information security administrator as regulatory liaison. Perform self-assessments using regulatory guidelines and reports. Assess previous regulatory reports with process owners input. Ensure all regulatory inquiries are sanctioned by the legal department.

  1. B is the correct answer. Justification