Implementing Effective Information Security Governance, Exams of Security Analysis

Various aspects of information security governance within an organization. It covers topics such as aligning security policies with local regulations, ensuring vendor security, establishing security-aware corporate culture, developing security kpis, and the importance of involving information security in change management processes. Insights into best practices for implementing a robust information security governance framework that supports the organization's overall security strategy and compliance requirements. By studying this document, readers can gain a deeper understanding of the key considerations and challenges involved in effectively managing information security at an enterprise level.

Typology: Exams

2024/2025

Available from 09/27/2024

DrShirleyAurora
DrShirleyAurora šŸ‡ŗšŸ‡ø

4.4

(9)

6.2K documents

1 / 25

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISM
An information security risk analysis BEST assists an organization in ensuring that:
A. the infrastructure has the appropriate level of access control.
B. cost-effective decisions are made with regard to which assets need protection
C. an appropriate level of funding is applied to security processes.
D. the organization implements appropriate security technologies -
B. cost-effective decisions are made with regard to which assets need protection
In a multinational organization, local security regulations should be implemented over global security
policy because:
A. business objectives are defined by local business unit managers.
B. deploying awareness of local regulations is more practical than of global policy.
C. global security policies include unnecessary controls for local businesses.
D. requirements of local regulations take precedence. -
D. requirements of local regulations take precedence.
To gain a clear understanding of the impact that a new regulatory requirement will have on an
organization's information security controls, an information security manager should FIRST:
A. conduct a cost-benefit analysis.
B. conduct a risk assessment.
C. interview senior management.
D. perform a gap analysis. -
B. conduct a risk assessment.
When management changes the enterprise business strategy, which of the following processes
should be used to evaluate the existing information security controls as well as to select new
information security controls?
A. Access control management
B. Change management
C. Configuration management
D. Risk management -
1 | P a g e
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19

Partial preview of the text

Download Implementing Effective Information Security Governance and more Exams Security Analysis in PDF only on Docsity!

CISM

An information security risk analysis BEST assists an organization in ensuring that: A. the infrastructure has the appropriate level of access control. B. cost-effective decisions are made with regard to which assets need protection C. an appropriate level of funding is applied to security processes. D. the organization implements appropriate security technologies - B. cost-effective decisions are made with regard to which assets need protection In a multinational organization, local security regulations should be implemented over global security policy because: A. business objectives are defined by local business unit managers. B. deploying awareness of local regulations is more practical than of global policy. C. global security policies include unnecessary controls for local businesses. D. requirements of local regulations take precedence. - D. requirements of local regulations take precedence. To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST: A. conduct a cost-benefit analysis. B. conduct a risk assessment. C. interview senior management. D. perform a gap analysis. - B. conduct a risk assessment. When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls? A. Access control management B. Change management C. Configuration management D. Risk management -

D. Risk management Which of the following is the BEST way to build a risk-aware culture? A. Periodically change risk awareness messages. B. Ensure that threats are communicated organization-wide in a timely manner. C. Periodically test compliance with security controls and post results. D. Establish incentives and a channel for staff to report risks. - D. Establish incentives and a channel for staff to report risks. What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data? A. Cancel the outsourcing contract. B. Transfer the risk to the provider. C. Create an addendum to the existing contract. D. Initiate an external audit of the provider's data center. - C. Create an addendum to the existing contract. An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation? A. Controls to be monitored B. Reporting capabilities C. The contract with the SIEM vendor D. Available technical support - A. Controls to be monitored Which of the following is MOST likely to be included in an enterprise security policy? A. Definitions of responsibilities B. Retention schedules C. System access specifications D. Organizational risk - A. Definitions of responsibilities

An information security manager has been asked to determine whether an information security initiative has reduced risk to an acceptable level. Which of the following activities would provide the BEST information for the information security manager to draw a conclusion? A. Initiating a cost-benefit analysis of the implemented controls B. Performing a risk assessment C. Reviewing the risk register D. Conducting a business impact analysis (BIA) - B. Performing a risk assessment An organization that uses external cloud services extensively is concerned with risk monitoring and timely response. The BEST way to address this concern is to ensure: A. the availability of continuous technical support. B. appropriate service level agreements (SLAs) are in place. C. a right-to-audit clause is included in contracts. D. internal security standards are in place. - B. appropriate service level agreements (SLAs) are in place. Which of the following is the BEST way to ensure that organizational security policies comply with data security regulatory requirements? A. Obtain annual sign-off from executive management. B. Align the policies to the most stringent global regulations. C. Send the policies to stakeholders for review. D. Outsource compliance activities. - B. Align the policies to the most stringent global regulations. The PRIMARY reason for defining the information security roles and responsibilities of staff throughout an organization is to: A. comply with security policy. B. increase corporate accountability. C. enforce individual accountability. D. reinforce the need for training. - C. enforce individual accountability.

Threat and vulnerability assessments are important PRIMARILY because they are: A. used to establish security investments. B. needed to estimate risk. C. the basis for setting control objectives. D. elements of the organization's security posture. - B. needed to estimate risk. Which of the following should be an information security managers PRIMARY focus during the development of a critical system storing highly confidential data? A. Ensuring the amount of residual risk is acceptable B. Reducing the number of vulnerabilities detected C. Avoiding identified system threats D. Complying with regulatory requirements - A. Ensuring the amount of residual risk is acceptable When evaluating vendors for sensitive data processing, which of the following should be the FIRST step to ensure the correct level of information security is provided? A. Develop metrics for vendor performance. B. Include information security criteria as part of vendor selection. C. Review third-party reports of potential vendors. D. Include information security clauses in the vendor contract. - B. Include information security criteria as part of vendor selection. An information security team is investigating an alleged breach of an organization's network. Which of the following would be the BEST single source of evidence to review? A. File integrity monitoring (FIM) software B. Security information and event management (SIEM) tool C. Intrusion detection system (IDS) D. Antivirus software - B. Security information and event management (SIEM) tool

C. reducing the need for subsequent risk evaluation. D. focusing on important and relevant risk. - D. focusing on important and relevant risk. Which of the following is the MOST important consideration when developing information security objectives? A. They are regularly reassessed and reported to stakeholders B. They are approved by the IT governance function C. They are clear and can be understood by stakeholders D. They are identified using global security frameworks and standards - C. They are clear and can be understood by stakeholders A legacy application does not comply with new regulatory requirements to encrypt sensitive data at rest, and remediating this issue would require significant investment. What should the information security manager do FIRST? A. Assess the business impact to the organization. B. Present the noncompliance risk to senior management. C. Investigate alternative options to remediate the noncompliance. D. Determine the cost to remediate the noncompliance. - A. Assess the business impact to the organization. Which of the following BEST enables effective information security governance? A. Security-aware corporate culture B. Advanced security technologies C. Periodic vulnerability assessments D. Established information security metrics - A. Security-aware corporate culture Application data integrity risk is MOST directly addressed by a design that includes. A. strict application of an authorized data dictionary. B. reconciliation routines such as checksums, hash totals, and record counts. C. application log requirements such as field-level audit trails and user activity logs.

D. access control technologies such as role-based entitlements. - B. reconciliation routines such as checksums, hash totals, and record counts. Deciding the level of protection a particular asset should be given is BEST determined by: A. the corporate risk appetite. B. a risk analysis. C. a threat assessment. D. a vulnerability assessment. - B. a risk analysis. What should be an information security manager's FIRST step when developing a business case for a new intrusion detection system (IDS) solution? A. Calculate the total cost of ownership (TCO). B. Define the issues to be addressed. C. Perform a cost-benefit analysis. D. Conduct a feasibility study. - B. Define the issues to be addressed. Which of the following is the MOST important incident management consideration for an organization subscribing to a cloud service? A. Decision on the classification of cloud-hosted data B. Expertise of personnel providing incident response C. Implementation of a SIEM in the organization D. An agreement on the definition of a security incident - D. An agreement on the definition of a security incident Which of the following is the BEST way for an organization to determine the maturity level of its information security program? A. Review the results of information security awareness testing. B. Validate the effectiveness of implemented security controls. C. Benchmark the information security policy against industry standards. D. Track the trending of information security incidents. -

C. There is a conflict of interest between the business and IT. D. The CIO is not taking charge of the committee. - B. The committee lacks sufficient business representation. What is the PRIMARY purpose of an unannounced disaster recovery exercise? A. To provide metrics to senior management B. To evaluate how personnel react to the situation C. To assess service level agreements (SLAs) D. To estimate the recovery time objective (RTO) - B. To evaluate how personnel react to the situation Labeling information according to its security classification: A. reduces the need to identify baseline controls for each classification. B. reduces the number and type of countermeasures required. C. enhances the likelihood of people handling information securely. D. affects the consequences if information is handled insecurely. - C. enhances the likelihood of people handling information securely. Which of the following is the MOST effective approach for determining whether an organization's information security program supports the information security strategy? A. Ensure resources meet information security program needs B. Audit the information security program to identify deficiencies C. Identify gaps impacting information security strategy D. Develop key performance indicators (KPIs) of information security - D. Develop key performance indicators (KPIs) of information security When drafting the corporate privacy statement for a public web site, which of the following MUST be included? A. Limited liability clause B. Access control requirements C. Explanation of information usage D. Information encryption requirements -

C. Explanation of information usage An organization is concerned with the potential for exploitation of vulnerabilities in its server systems. Which of the following is the BEST control to mitigate the associated risk? A. Enforcing standard system configurations based on secure configuration benchmarks B. Implementing network and system-based anomaly monitoring software for server systems C. Enforcing configurations for secure logging and audit trails on server systems D. Implementing host-based intrusion detection systems (IDS) on server systems - A. Enforcing standard system configurations based on secure configuration benchmarks Which of the following is the MOST important step when establishing guidelines for the use of social networking sites in an organization? A. Identify secure social networking sites B. Establish disciplinary actions for noncompliance C. Perform a vulnerability assessment D. Define acceptable information for posting - D. Define acceptable information for posting Regular vulnerability scanning on an organization's internal network has identified that many user workstations have unpatched versions of software. What is theBEST way for the information security manager to help senior management understand the related risk? A. Include the impact of the risk as part of regular metrics. B. Send regular notifications directly to senior managers. C. Recommend the security steering committee conduct a review. D. Update the risk assessment at regular intervals. - A. Include the impact of the risk as part of regular metrics. Which of the following BEST prepares a computer incident response team for a variety of information security scenarios? A. Tabletop exercises B. Forensics certification C. Penetration tests D. Disaster recovery drills -

Which of the following is the PRIMARY responsibility of an information security manager in an organization that is implementing the use of company-owned mobile devices in its operations? A. Review and update existing security policies. B. Enforce passwords and data encryption on the devices. C. Conduct security awareness training. D. Require remote wipe capabilities for devices. - A. Review and update existing security policies. Which of the following would be MOST useful to help senior management understand the status of information security compliance? A. Key performance indicators (KPIs) B. Risk assessment results C. Industry benchmarks D. Business impact analysis (BIA) results - A. Key performance indicators (KPIs) Which of the following is the MOST important reason for an organization to develop an information security governance program? A. Establishment of accountability B. Compliance with audit requirements C. Creation of tactical solutions D. Monitoring of security incidents - A. Establishment of accountability Which of the following provides the MOST essential input for the development of an information security strategy? A. Results of an information security gap analysis B. Measurement of security performance against IT goals C. Results of a technology risk assessment D. Availability of capable information security resources Reveal Solution -

A. Results of an information security gap analysis The MOST important reason for an information security manager to be involved in the change management process is to ensure that: A. security controls drive technology changes. B. risks have been evaluated. C. security controls are updated regularly. D. potential vulnerabilities are identified. - B. risks have been evaluated. Which of the following should be the PRIMARY focus of a status report on the information security program to senior management? A. Confirming the organization complies with security policies B. Verifying security costs do not exceed the budget C. Demonstrating risk is managed at the desired level D. Providing evidence that resources are performing as expected - C. Demonstrating risk is managed at the desired level Which of the following is MOST likely to be a component of a security incident escalation policy? A. Names and telephone numbers of key management personnel B. A severity-ranking mechanism tied only to the duration of the outage C. Sample scripts and press releases for statements to media D. Decision criteria for when to alert various groups - D. Decision criteria for when to alert various groups Which of the following would be an information security manager's PRIMARY challenge when deploying a bring your own device (BYOD) mobile program in an enterprise? A. Configuration management B. Mobile application control C. Inconsistent device security D. End user acceptance - C. Inconsistent device security

An information security manager wants to improve the ability to identify changes in risk levels affecting the organization's systems. Which of the following is theBEST method to achieve this objective? A. Performing business impact analyses (BIA) B. Monitoring key goal indicators (KGIs) C. Monitoring key risk indicators (KRIs) D. Updating the risk register - C. Monitoring key risk indicators (KRIs) When developing an escalation process for an incident response plan, the information security manager should PRIMARILY consider the: A. affected stakeholders. B. incident response team. C. availability of technical resources. D. media coverage - A. affected stakeholders. Which of the following should be an information security managers MOST important consideration when determining if an information asset has been classified appropriately? A. Value to the business B. Security policy requirements C. Ownership of information D. Level of protection - A. Value to the business The effectiveness of an incident response team will be GREATEST when: A. the incident response process is updated based on lessons learned. B. the incident response team members are trained security personnel. C. the incident response team meets on a regular basis to review log files. D. incidents are identified using a security information and event monitoring (SIEM) system. - A. the incident response process is updated based on lessons learned.

An information security manager MUST have an understanding of the organization's business goals to: A. relate information security to change management. B. develop an information security strategy. C. develop operational procedures D. define key performance indicators (KPIs). - B. develop an information security strategy. An information security manager MUST have an understanding of an information security program? A. Understanding current and emerging technologies B. Establishing key performance indicators (KPIs) C. Conducting periodic risk assessments D. Obtaining stakeholder input - D. Obtaining stakeholder input An attacker was able to gain access to an organization's perimeter firewall and made changes to allow wider external access and to steal data. Which of the following would have BEST provided timely identification of this incident? A. Implementing a data loss prevention (DLP) suite B. Deploying an intrusion prevention system (IPS) C. Deploying a security information and event management system (SIEM) D. Conducting regular system administrator awareness training - C. Deploying a security information and event management system (SIEM) When establishing metrics for an information security program, the BEST approach is to identify indicators that: A. support major information security initiatives. B. reflect the corporate risk culture. C. reduce information security program spending. D. demonstrate the effectiveness of the security program. - D. demonstrate the effectiveness of the security program.

Which of the following provides the MOST relevant information to determine the overall effectiveness of an information security program and underlying business processes? A. SWOT analysis B. Industry benchmarks C. Cost-benefit analysis D. Balanced scorecard - D. Balanced scorecard An organization finds unauthorized software has been installed on a number of workstations. The software was found to contain a Trojan, which had been uploading data to an unknown external party. Which of the following would have BEST prevented the installation of the unauthorized software? A. Banning executable file downloads at the Internet firewall B. Implementing an intrusion detection system (IDS) C. Implementing application blacklisting D. Removing local administrator rights - D. Removing local administrator rights When developing a tabletop test plan for incident response testing, the PRIMARY purpose of the scenario should be to: A. measure management engagement as part of an incident response team. B. provide participants with situations to ensure understanding of their roles. C. give the business a measure of the organization's overall readiness. D. challenge the incident response team to solve the problem under pressure. - B. provide participants with situations to ensure understanding of their roles. Which of the following is MOST important for an information security manager to consider when identifying information security resource requirements? A. Availability of potential resources B. Information security incidents C. Current resourcing levels D. Information security strategy -

D. Information security strategy Which of the following is the MAIN benefit of performing an assessment of existing incident response processes? A. Validation of current capabilities B. Benchmarking against industry peers C. Prioritization of action plans D. Identification of threats and vulnerabilities - A. Validation of current capabilities Which of the following BEST describes a buffer overflow? A. A type of covert channel that captures data B. A function is carried out with more data than the function can handle C. Malicious code designed to interfere with normal operations D. A program contains a hidden and unintended function that presents a security risk - B. A function is carried out with more data than the function can handle Which of the following is the MOST important consideration when selecting members for an information security steering committee? A. Information security expertise B. Tenure in the organization C. Business expertise D. Cross-functional composition - D. Cross-functional composition Which of the following BEST validates that security controls are implemented in a new business process? A. Verify the use of a recognized control framework B. Review the process for conformance with information security best practices C. Benchmark the process against industry practices D. Assess the process according to information security policy - D. Assess the process according to information security policy