CISM Practice A Topic 1 Flashcards

Question 1

Q

Which of the following should be the FIRST step in developing an information security plan?

Perform a technical vulnerabilities assessment

Analyze the current business strategy

Perform a business impact analysis

Assess the current levels of security awareness

Answer

A

Analyze the current business strategy

Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.

Question 2

Q

Senior management commitment and support for information security can BEST be obtained through presentations that:

use illustrative examples of successful attacks.

explain the technical risks to the organization.

evaluate the organization against best security practices.

tie security risks to key business objectives.

Answer

A

tie security risks to key business objectives.

Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.

Question 3

Q

The MOST appropriate role for senior management in supporting information security is the:

evaluation of vendors offering security products.

assessment of risks to the organization.

approval of policy statements and funding.

monitoring adherence to regulatory requirements.

Answer

A

approval of policy statements and funding.

Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice. Evaluation of vendors, assessment of risks and monitoring compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role is direction and governance.

Question 4

Q

Which of the following would BEST ensure the success of information security governance within an organization?

Steering committees approve security projects

Security policy training provided to all managers

Security training available to all employees on the intranet

Steering committees enforce compliance with laws and regulations

Answer

A

Steering committees approve security projects

The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee.

Question 5

Q

Information security governance is PRIMARILY driven by:

technology constraints.

regulatory requirements.

litigation potential.

business strategy.

Answer

A

business strategy.

Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.

Question 6

Q

Which of the following represents the MAJOR focus of privacy regulations?

Unrestricted data mining

Identity theft

Human rights protection

Identifiable personal data

Answer

A

Identifiable personal data

Protection of identifiable personal data is the major focus of recent privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Data mining is an accepted tool for ad hoc reporting; it could pose a threat to privacy only if it violates regulator provisions. Identity theft is a potential consequence of privacy violations but not the main focus of many regulations. Human rights addresses privacy issues but is not the main focus of regulations.

Question 7

Q

Investments in information security technologies should be based on:

vulnerability assessments.

value analysis.

business climate.

audit recommendations.

Answer

A

value analysis.

Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.

Question 8

Q

Retention of business records should PRIMARILY be based on:

business strategy and direction.

regulatory and legal requirements.

storage capacity and longevity.

business case and value analysis.

Answer

A

regulatory and legal requirements.Retention of business records is generally driven by legal and regulatory requirements. Business strategy and direction would not normally apply nor would they override legal and regulatory requirements. Storage capacity and longevity are important but secondary issues. Business case and value analysis would be secondary to complying with legal and regulatory requirements.

Question 9

Q

Which of the following is characteristic of centralized information security management?

More expensive to administer

Better adherence to policies

More aligned with business unit needs

Faster turnaround of requests

Answer

A

Better adherence to policies

Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economics of scale. However, turnaround can be slower due to the lack of alignment with business units.

Question 10

Q

Successful implementation of information security governance will FIRST require:

security awareness training.

updated security policies.

a computer incident management team.

a security architecture.

Answer

A

updated security policies.

Updated security policies are required to align management objectives with security procedures; management objectives translate into policy, policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms.

Question 11

Q

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Information security manager

Chief operating officer (COO)

Internal auditor

Legal counsel

Answer

A

Chief operating officer (COO)

The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group.

Question 12

Q

The MOST important component of a privacy policy is:

notifications.

warranties.

liabilities.

geographic coverage.

Answer

A

notifications.

Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.

Question 13

Q

The cost of implementing a security control should not exceed the:

annualized loss expectancy.

cost of an incident.

asset value.

implementation opportunity costs

Answer

A

asset value.

The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses that are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.

Question 14

Q

When a security standard conflicts with a business objective, the situation should be resolved by:

changing the security standard.

changing the business objective.

performing a risk analysis.

authorizing a risk acceptance.

Answer

A

performing a risk analysis.

Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.

Question 15

Q

Minimum standards for securing the technical infrastructure should be defined in a security:

strategy.

guidelines.

model.

architecture.

Answer

A

architecture.

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.

Question 16

Q

Which of the following is MOST appropriate for inclusion in an information security strategy?

Business controls designated as key controls

Security processes, methods, tools and techniques

Firewall rule sets, network defaults and intrusion detection system (IDS) settings

Budget estimates to acquire specific security tools

Answer

A

Security processes, methods, tools and techniques

A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.

Question 17

Q

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

organizational risk.

organization wide metrics.

security needs.

the responsibilities of organizational units.

Answer

A

organizational risk.

Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.

Question 18

Q

Which of the following roles would represent a conflict of interest for an information security manager?

Evaluation of third parties requesting connectivity

Assessment of the adequacy of disaster recovery plans

Final approval of information security policies

Monitoring adherence to physical security controls

Answer

A

Final approval of information security policies

Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.

Question 19

Q

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

The information security department has difficulty filling vacancies.

The chief information officer (CIO) approves security policy changes.

The information security oversight committee only meets quarterly.

The data center manager has final signoff on all security projects.

Answer

A

The data center manager has final signoff on all security projects.

A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals.

Question 20

Q

Which of the following requirements would have the lowest level of priority in information security?

Technical

Regulatory

Privacy

Business

Answer

A

Technical

Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities.

Question 21

Q

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Develop a security architecture

Establish good communication with steering committee members

Assemble an experienced staff

Benchmark peer organizations

Answer

A

Establish good communication with steering committee members

New information security managers should seek to build rapport and establish lines of communication with senior management to enlist their support. Benchmarking peer organizations is beneficial to better understand industry best practices, but it is secondary to obtaining senior management support. Similarly, developing a security architecture and assembling an experienced staff are objectives that can be obtained later.

Question 22

Q

It is MOST important that information security architecture be aligned with which of the following?

Industry best practices

Information technology plans

Information security best practices

Business objectives and goals

Answer

A

Business objectives and goals

Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison.

Question 23

Q

Which of the following is MOST likely to be discretionary?

Policies

Procedures

Guidelines

Standards

Answer

A

Guidelines

Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.

Question 24

Q

Security technologies should be selected PRIMARILY on the basis of their:

ability to mitigate business risks.

evaluations in trade publications.

use of new and emerging technologies.

benefits in comparison to their costs.

Answer

A

ability to mitigate business risks.

The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.

Question 25

Q

Which of the following are seldom changed in response to technological changes?

Standards

Procedures

Policies

Guidelines

Answer

A

Policies

Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes.

Question 26

Q

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in:

storage capacity and shelf life.

regulatory and legal requirements.

business strategy and direction.

application systems and media.

Answer

A

application systems and media.

Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues.

Question 27

Q

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization?

More uniformity in quality of service

Better adherence to policies

Better alignment to business unit needs

More savings in total operating costs

Answer

A

Better alignment to business unit needs

Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit.

Question 28

Q

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise?

Chief security officer (CSO)

Chief operating officer (COO)

Chief privacy officer (CPO)

Chief legal counsel (CLC)

Answer

A

Chief operating officer (COO)

The chief operating officer (COO) is most knowledgeable of business operations and objectives. The chief privacy officer (CPO) and the chief legal counsel (CLC) may not have the knowledge of the day- to-day business operations to ensure proper guidance, although they have the same influence within the organization as the COO. Although the chief security officer (CSO) is knowledgeable of what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.

Question 29

Q

Which of the following would be the MOST important goal of an information security governance program?

Review of internal control mechanisms

Effective involvement in business decision making

Total elimination of risk factors

Ensuring trust in data

Answer

A

Ensuring trust in data

The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.

Question 30

Q

Relationships among security technologies are BEST defined through which of the following?

Security metrics

Network topology

Security architecture

Process improvement models

Answer

A

Security architecture

Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies. Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.

Question 31

Q

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

Enforce the existing security standard

Change the standard to permit the deployment

Perform a risk analysis to quantify the risk

Perform research to propose use of a better technology

Answer

A

Perform a risk analysis to quantify the risk

Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.

Question 32

Q

Acceptable levels of information security risk should be determined by:

legal counsel.

security management.

external auditors.

the steering committee.

Answer

A

the steering committee.

Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.

Question 33

Q

The PRIMARY goal in developing an information security strategy is to:

establish security metrics and performance monitoring.
educate business process owners regarding their duties.
ensure that legal and regulatory requirements are met
support the business objectives of the organization.

Answer

A

support the business objectives of the organization.

The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.

Question 34

Q

Senior management commitment and support for information security can BEST be enhanced through:

a formal security policy sponsored by the chief executive officer (CEO).

regular security awareness training for employees.

periodic review of alignment with business management goals.

senior management signoff on the information security strategy.

Answer

A

periodic review of alignment with business management goals.

Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.

Question 35

Q

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

Create separate policies to address each regulation

Develop policies that meet all mandated requirements

Incorporate policy statements provided by regulators

Develop a compliance risk assessment

Answer

A

Develop policies that meet all mandated requirements

It will be much more efficient to craft all relevant requirements into policies than to create separate versions. Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.

Question 36

Q

Which of the following MOST commonly falls within the scope of an information security governance steering committee?

Interviewing candidates for information security specialist positions

Developing content for security awareness programs

Prioritizing information security initiatives

Approving access to critical financial systems

Answer

A

Prioritizing information security initiatives

Prioritizing information security initiatives is the only appropriate item. The interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical financial systems is the responsibility of individual system data owners.

Question 37

Q

Which of the following is the MOST important factor when designing information security architecture?

Technical platform interfaces

Scalability of the network

Development methodologies

Stakeholder requirements

Answer

A

Stakeholder requirements

The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.

Question 38

Q

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?

Knowledge of information technology platforms, networks and development methodologies

Ability to understand and map organizational needs to security technologies

Knowledge of the regulatory environment and project management techniques

Ability to manage a diverse group of individuals and resources across an organization

Answer

A

Ability to understand and map organizational needs to security technologies

Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices are important but secondary to meeting business security needs.

Question 39

Q

Which of the following are likely to be updated MOST frequently?

Procedures for hardening database servers

Standards for password length and complexity

Policies addressing information security governance

Standards for document retention and destruction

Answer

A

Procedures for hardening database servers

Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.

Question 40

Q

Who should be responsible for enforcing access rights to application data?

Data owners

Business process owners

The security steering committee

Security administrators

Answer

A

Security administrators

As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.

Question 41

Q

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

head of internal audit.

chief operations officer (COO).

chief technology officer (CTO).

legal counsel.

Answer

A

chief operations officer (COO).

The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO’s goals for the infrastructure might, at times, run counter to the goals of information security.

Question 42

Q

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

Update platform-level security settings

Conduct disaster recovery test exercises

Approve access to critical financial systems

Develop an information security strategy paper

Answer

A

Develop an information security strategy paper

Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.

Question 43

Q

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

assessing the frequency of incidents.

quantifying the cost of control failures.

calculating return on investment (ROI) projections.

comparing spending against similar organizations.

Answer

A

calculating return on investment (ROI) projections.

Calculating the return on investment (ROI) will most closely align security with the impact on the bottom line. Frequency and cost of incidents are factors that go into determining the impact on the business but, by themselves, are insufficient. Comparing spending against similar organizations can be problematic since similar organizations may have different business goals and appetites for risk.

Question 44

Q

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

aligned with the IT strategic plan.

based on the current rate of technological change.

three-to-five years for both hardware and software.

aligned with the business strategy.

Answer

A

aligned with the business strategy.

Any planning for information security should be properly aligned with the needs of the business. Technology should not come before the needs of the business, nor should planning be done on an artificial timetable that ignores business needs.

Question 45

Q

Which of the following is the MOST important information to include in a strategic plan for information security?

Information security staffing requirements

Current state and desired future state

IT capital investment requirements

Information security mission statement

Answer

A

Current state and desired future state

It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.

Question 46

Q

Information security projects should be prioritized on the basis of:

time required for implementation.

impact on the organization.

total cost for implementation.

mix of resources required.

Answer

A

impact on the organization.

Information security projects should be assessed on the basis of the positive impact that they will have on the organization. Time, cost and resource issues should be subordinate to this objective

Question 47

Q

Which of the following is the MOST important information to include in an information security standard?

Creation date

Author name

Initial draft approval date

Last review date

Answer

A

Last review date

The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard. The name of the author as well as the creation and draft dates are not that important.

Question 48

Q

Which of the following would BEST prepare an information security manager for regulatory reviews?

Assign an information security administrator as regulatory liaison

Perform self-assessments using regulatory guidelines and reports

Assess previous regulatory reports with process owners input

Ensure all regulatory inquiries are sanctioned by the legal department

Answer

A

Perform self-assessments using regulatory guidelines and reports

Self-assessments provide the best feedback on readiness and permit identification of items requiring remediation. Directing regulators to a specific person or department, or assessing previous reports, is not as effective. The legal department should review all formal inquiries but this does not help prepare for a regulatory review.

Question 49

Q

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
establish baseline standards for all locations and add supplemental standards as required.
bring all locations into conformity with a generally accepted set of industry best practices.
establish a baseline standard incorporating those requirements that all jurisdictions have in common.

Answer

A

establish baseline standards for all locations and add supplemental standards as required.

It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approachâ€”forcing all locations to be in compliance with the regulations places an undue burden on those locations.

Question 50

Q

Which of the following BEST describes an information security manager’s role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

Ensure that all IT risks are identified

Evaluate the impact of information security risks

Demonstrate that IT mitigating controls are in place

Suggest new IT controls to mitigate operational risk

Answer

A

Evaluate the impact of information security risks

The job of the information security officer on such a team is to assess the risks to the business operation. Ensuring that all IT risks are identified is incorrect because information security is not limited to IT issues. At the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. It is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.

Question 51

Q

From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities?

Enhanced policy compliance

Improved procedure flows

Segregation of duties

Better accountability

Answer

A

Better accountability

Without well-defined roles and responsibilities, there cannot be accountability. Policy compliance requires adequately defined accountability first and therefore is a byproduct. People can be assigned to execute procedures that are not well designed. Segregation of duties is not automatic, and roles may still include conflicting duties.

Question 52

Q

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

Security metrics reports

Risk assessment reports

Business impact analysis (BIA)

Return on security investment report

Answer

A

Risk assessment reports

Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.

Question 53

Q

Reviewing which of the following would BEST ensure that security controls are effective?

Risk assessment policies

Return on security investment

Security metrics

User access rights

Answer

A

Security metrics

Reviewing security metrics provides senior management a snapshot view and trends of an organization’s security posture. Reviewing risk assessment policies would not ensure that the controls are actually working. Reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.

Question 54

Q

Which of the following is responsible for legal and regulatory liability?

Chief security officer (CSO)

Chief legal counsel (CLC)

Board and senior management

Information security steering group

Answer

A

Board and senior management

The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.

Question 55

Q

While implementing information security governance an organization should FIRST:

adopt security standards.

determine security baselines.

define the security strategy.

establish security policies.

Answer

A

define the security strategy.

The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.

Question 56

Q

Information security policy enforcement is the responsibility of the:

security steering committee.

chief information officer (CIO).

chief information security officer (CISO).

chief compliance officer (CCO).

Answer

A

chief information security officer (CISO).

Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.

Question 57

Q

A good privacy statement should include:

notification of liability on accuracy of information.

notification that information will be encrypted.

what the company will do with information it collects.

a description of the information classification process

Answer

A

what the company will do with information it collects.

Most privacy laws and regulations require disclosure on how information will be used. Notification of liability on information accuracy should be located in the web site’s disclaimer, so is an incorrect answer. Notification that information will be encrypted is incorrect because, although encryption may be applied, this is not generally disclosed. Information classification would be contained in a separate policy, so that is also incorrect.

Question 58

Q

Which of the following would be MOST effective in successfully implementing restrictive password policies?

Regular password audits

Single sign-on system

Security awareness program

Penalties for noncompliance

Answer

A

Security awareness program

To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.

Question 59

Q

When designing an information security quarterly report to management, the MOST important element to be considered should be the:

information security metrics.

knowledge required to analyze each issue.

linkage to business area objectives.

baseline against which metrics are evaluated.

Answer

A

linkage to business area objectives.

The link to business objectives is the most important clement that would be considered by management. Information security metrics should be put in the context of impact to management objectives. Although important, the security knowledge required would not be the first element to be considered. Baselining against the information security metrics will be considered later in the process.

Question 60

Q

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

corporate data privacy policy.

data privacy policy where data are collected.

data privacy policy of the headquarters’ country.

data privacy directive applicable globally.

Answer

A

data privacy policy where data are collected.

As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.

Question 61

Q

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

meet with stakeholders to decide how to comply.

analyze key risks in the compliance process.

assess whether existing controls meet the regulation.

update the existing security/privacy policy

Answer

A

assess whether existing controls meet the regulation.

If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.

Question 62

Q

The PRIMARY objective of a security steering group is to:

ensure information security covers all business functions.
ensure information security aligns with business goals.
raise information security awareness across the organization.
implement all decisions on security management across the organization

Answer

A

ensure information security aligns with business goals.

The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself. The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary’ goal.

Question 63

Q

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

baseline.

strategy.

procedure.

policy.

Answer

A

policy.

A policy is a high-level statement of an organization’s beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization. The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by-step process of how policy and standards will be implemented.

Question 64

Q

At what stage of the applications development process should the security department initially become involved?

When requested

At testing

At programming

At detail requirements

Answer

A

At detail requirements

Information security has to be integrated into the requirements of the application’s design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.

Answer 65

A

Associating realistic threats to corporate objectives

Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as connecting corporate objectives and realistic threats when trying to obtain the funds for a new program.

Answer 66

A

business requirements.

The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided.

Answer 67

A

privacy protection.

Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and. therefore, is a partial answer.

Answer 68

A

ensure that security processes are consistent across the organization.

The organization first needs to move from ad hoc to repeatable processes. The organization then needs to document the processes and implement process monitoring and measurement. Baselining security levels will not necessarily assist in process improvement since baselining focuses primarily on control improvement. The organization needs to standardize processes both before documentation, and before monitoring and measurement.

Answer 69

A

Data owner

The data owner has full responsibility over data. The data custodian is responsible for securing the information. The database administrator carries out the technical administration. The information security officer oversees the overall classification management of the information.

Answer 70

A

Defining and ratifying the classification structure of information assets

Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. The final responsibility for deciding the classification levels rests with the data owners, not the information security manager. The job of securing information assets is the responsibility of the data custodians, not the information security manager. Checking to see if information assets have been classified properly may be a role of an information security manager but is not the key role in this context.

Answer 71

A

Detection

Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.

Answer 72

A

Understanding key business objectives

Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.

Answer 73

A

Board of directors

The board of directors is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management’s directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization’s information.

Answer 74

A

Regulatory compliance

Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.

Answer 75

A

the agreement of the data subjects.

Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. A data processing agreement, a data protection registration, and subject access procedures are supplementary data protection requirements that are not key for international data transfer.

Answer 76

A

Proportionality

Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.

Answer 77

A

Senior management commitment

Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization

Answer 78

A

Complexity of organizational structure

Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place, hence governance will help in effective management of the organization’s budget.

Answer 79

A

conduct a risk assessment.

Risk assessment, evaluation and impact analysis will be the starting point for driving management’s attention to information security. All other choices will follow the risk assessment.

Answer 80

A

it implies compliance risks.

Monitoring processes are also required to guarantee fulfillment of laws and regulations of the organization and, therefore, the information security manager will be obligated to comply with the law. Short-term impact and the possible violation of industry security practices are evaluated as part of the operational risk. Undetected changes in the roles matrix is unlikely to be as critical a breach of regulatory legislation. The acceptance of operational risks overrides the other choices.

Answer 81

A

strategic alignment.

Business dependency assessment is a process of determining the dependency of a business on certain information resources. It is not an outcome or a product of effective security management. Strategic alignment is an outcome of effective security governance. Where there is good governance, there is likely to be strategic alignment. Risk assessment is not an outcome of effective security governance; it is a process. Planning comes at the beginning of effective security governance, and is not an outcome but a process.

Answer 82

A

Negotiate a local version of the organization standards

Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since there needs to be some recognition of organization requirements. Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation.

Answer 83

A

Security manager

Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.

Answer 84

A

clarify organizational purpose for creating the program.

In developing an information security management program, the first step is to clarify the organization’s purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.

Answer 85

A

The potential financial loss

The potential for financial loss is always a key factor when assessing the value of information. Choices B, C and D may be contributors, but not the key factor.

Answer 86

A

Business case

The information security manager needs to prioritize the controls based on risk management and the requirements of the organization. The information security manager must look at the costs of the various controls and compare them against the benefit the organization will receive from the security solution. The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits of the various controls. All other choices are supplemental.

Answer 87

A

Cost-benefit analysis

Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.

Answer 88

A

High-level sponsorship

The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance. Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors.

Answer 89

A

Inputs be obtained and consensus achieved between the major organizational units.

It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization. Rotation of steering committee leadership does not help in achieving strategic alignment. Updating business strategy does not lead to strategic alignment of security initiatives. Procedures and standards need not be approved by all departmental heads.

Answer 90

A

Rogue access point

A rogue access point masquerades as a legitimate access point. The risk is that legitimate users may connect through this access point and have their traffic monitored. All other choices are not dependent on the use of a wireless local area network (LAN) technology.

Answer 91

A

Information security manager

The escalation process in critical situations should involve the information security manager as the first contact so that appropriate escalation steps are invoked as necessary. The remaining entities would be notified accordingly.

Answer 92

A

developing the security strategy.

The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.

Answer 93

A

alignment.

Strategic alignment of security with business objectives is a key indicator of performance measurement. In guiding a security program, a meaningful performance measurement will also rely on an understanding of business objectives, which will be an outcome of alignment. Business linkages do not by themselves indicate integration or value delivery. While alignment is an important precondition, it is not as important an indicator.

Answer 94

A

Compliance with the organization’s information security requirements

From a security standpoint, compliance with the organization’s information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization’s security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third- party service providers.

Answer 95

A

substantiate the investment in meeting organizational needs.Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that comes after substantiating the investment and return on investment to the organization.

Answer 96

A

attributes and characteristics of the “desired state.”Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.

Answer 97

A

conduct a risk assessment.A risk assessment would be most helpful to management in understanding at a very high level the threats, probabilities and existing controls. Developing a security architecture, installing a network intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a network security policy would not be as effective in highlighting the importance to management and would follow only after performing a risk assessment.

Answer 98

A

Skills inventoryA skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.

Answer 99

A

are aligned with organizational goals.The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards.

Answer 100

A

support organizational objectives.Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.

Answer 101

A

refer the issues to senior management along with any security recommendations.Senior management is in the best position to arbitrate since they will look at the overall needs of the business in reaching a decision. The authority may be delegated to others by senior management after their review of the issues and security recommendations. Units should not be asked to accept the risk without first receiving input from senior management.

Answer 102

A

developing a business case.Business case development, including a cost-benefit analysis, will be most persuasive to management. A risk assessment may be included in the business ease, but by itself will not be as effective in gaining management support. Informing management of regulatory requirements may help gain support for initiatives, but given that more than half of all organizations are not in compliance with regulations, it is unlikely to be sufficient in many cases. Good metrics which provide assurance that initiatives are meeting organizational goals will also be useful, but are insufficient in gaining management support.

Answer 103

A

Include security responsibilities in the job descriptionThe first step to improve accountability is to include security responsibilities in a job description. This documents what is expected and approved by the organization. The other choices are methods to ensure that the system administrator has the training to fulfill the responsibilities included in the job description.

Answer 104

A

Defined objectivesWithout defined objectives, a strategyâ€”the plan to achieve objectivesâ€”cannot be developed. Time frames for delivery are important but not critical for inclusion in the strategy document. Similarly, the adoption of a control framework is not critical to having a successful information security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy.

Answer 105

A

Cultures of the different countriesCulture has a significant impact on how information security will be implemented. Representation by regional business leaders may not have a major influence unless it concerns cultural issues. Composition of the board may not have a significant impact compared to cultural issues. IT security skills are not as key or high impact in designing a multinational information security program as would be cultural issues.

Answer 106

A

Increased business valueInvesting in an information security program should increase business value and confidence. Cost reduction by itself is rarely the motivator for implementing an information security program. Compliance is secondary to business value. Increasing business value may include protection of business assets.

Answer 107

A

a statement regarding what the company will do with the information it collects.Most privacy laws and regulations require disclosure on how information will be used. A disclaimer is not necessary since it does not refer to data privacy. Technical details regarding how information is protected are not mandatory to publish on the web site and in fact would not be desirable. It is not mandatory to say where information is being hosted.

Answer 108

A

alignment with organizational goals and objectives.The success of security programs is dependent upon alignment with organizational goals and objectives. Communication is a secondary step. Effective communication and education of users is a critical determinant of success but alignment with organizational goals and objectives is the most important factor for success. Mere formulation of policies without effective communication to users will not ensure success. Monitoring compliance with information security policies and procedures can be, at best, a detective mechanism that will not lead to success in the midst of uninformed users.

Answer 109

A

A security program that enables business activitiesA security program enabling business activities would be most helpful to achieve alignment between information security and organization objectives. All of the other choices are part of the security program and would not individually and directly help as much as the security program.

Answer 110

A

Continuous analysis, monitoring and feedbackTo improve the governance framework and achieve a higher level of maturity, an organization needs to conduct continuous analysis, monitoring and feedback compared to the current state of maturity. Return on security investment (ROI) may show the performance result of the security-related activities; however, the result is interpreted in terms of money and extends to multiple facets of security initiatives. Thus, it may not be an adequate option. Continuous risk reduction would demonstrate the effectiveness of the security governance framework, but does not indicate a higher level of maturity. Key risk indicator (KRI) setup is a tool to be used in internal control assessment. KRI setup presents a threshold to alert management when controls are being compromised in business processes. This is a control tool rather than a maturity model support tool.

Answer 111

A

includes appropriate justification.Management is primarily interested in security solutions that can address risks in the most cost-effective way. To address the needs of an organization, a business case should address appropriate security solutions in line with the organizational strategy.

Answer 112

A

Organizational goalsAlignment of security with business objectives requires an understanding of what an organization is trying to accomplish. The other choices are all elements that must be considered, but their importance is secondary and will vary depending on organizational goals.

Answer 113

A

It is easier to manage and control.It is easier to manage and control a centralized structure. Promoting security awareness is an advantage of decentralization. Decentralization allows you to use field security personnel as security missionaries or ambassadors to spread the security awareness message. Decentralized operations allow security administrators to be more responsive. Being close to the business allows decentralized security administrators to achieve a faster turnaround than that achieved in a centralized operation. It is easier to manage and control.

Answer 114

A

Obtain strong management supportManagement support and pressure will help to change an organization’s culture. Procedures will support an information security policy, but cannot change the culture of the organization. Technical controls will provide more security to an information system and staff; however, this does not mean the culture will be changed. Auditing will help to ensure the effectiveness of the information security policy; however, auditing is not effective in changing the culture of the company. Obtain strong management support.

Answer 115

A

a business case.A business case shows both direct and indirect benefits, along with the investment required and the expected returns, thus making it useful to present to senior management. Return on investment (ROI) would only provide the costs needed to preclude specific risks, and would not provide other indirect benefits such as process improvement and learning. A vulnerability assessment is more technical in nature and would only identify and assess the vulnerabilities. This would also not provide insights on indirect benefits. Annual loss expectancy (ALE) would not weigh the advantages of implementing single sign-on (SSO) in comparison to the cost of implementation.

Answer 116

A

obtain high-level sponsorship.The establishment of a security governance program is possible only with the support and sponsorship of top management since security governance projects are enterprise wide and integrated into business processes. Conducting a risk assessment, conducting a workshop for all end users and preparing a security budget all follow once high-level sponsorship is obtained.

Answer 117

A

conflicting security controls with organizational needs.The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection, it is poorly configured. Implementing appropriate controls to reduce risk is not an appropriate control as it is being used. This does not prove the ability to protect, but proves the ability to interfere with business.

Answer 118

A

managing risk relative to business objectives.Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.

Answer 119

A

A cost-benefit analysis of budgeted resourcesA brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TCO may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.

Answer 120

A

Reduction of the potential for civil or legal liabilityInformation security governance decreases the risk of civil or legal liability. The remaining answers are incorrect. Direct involvement in developing control processes, while likely true, is not the correct answer either.

Answer 121

A

clear alignment with the goals and objectives of the organization.Organization maturity level for the protection of information is a clear alignment with goals and objectives of the organization. Experience in previous projects is dependent upon other business models which may not be applicable to the current model. Best business practices may not be applicable to the organization’s business needs. Safeguards inherent to existing technology are low cost but may not address all business needs and/or goals of the organization.

Answer 122

A

business owner.Business owners are ultimately responsible for their applications. The legal department, compliance officer and information security manager all can advise, but do not have final responsibility.

Answer 123

A

analyzed under the retention policy.This is the type of analysis that will determine whether the organization is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources, and, in the case of sensitive personal information, can increase the risk of data compromise. The other answers are attributes that should be considered in the destruction and retention policy. A BIA could help determine that this information does not support the main objective of the business, but does not indicate the action to take.

Answer 124

A

Laws and regulations of the country of origin may not be enforceable in the foreign country.A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. A security breach notification delay due to the time difference is not a problem; time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Needing to install additional network intrusion detectors is a manageable problem that requires additional funding, but can be addressed. Losing physical control over the server and be unable to monitor the physical security posture of the servers is also a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.

Answer 125

A

utilizing a top-down approach.Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility.

Answer 126

A

gain the endorsement of executive management.Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.

Answer 127

A

Obtain the support of the board of directors.It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Improving the content of the IS awareness program and employees’ knowledge are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Implementing logical access controls is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program.

Answer 128

A

setting the strategic direction of the program.A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company’s vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.

Answer 129

A

Review of the assessment with executive management for final inputExecutive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.

Answer 130

A

Senior managementRoutine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.

Answer 131

A

Require management to report on complianceInformation security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.

Answer 132

A

a balance between technical and business requirements.Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.

Answer 133

A

Support of senior managementWithout the support of senior management, an information security program has little chance of survival. A company’s leadership group, more than any other group, will more successfully drive the program. Their authoritative position in the company is a key factor. Budget approval, resource commitments, and companywide participation also require the buy-in from senior management. Senior management is responsible for providing an adequate budget and the necessary resources. Security awareness is important, but not the most important factor. Recalculation of the work factor is a part of risk management.

Answer 134

A

Information security plans are not aligned with business requirementsThe steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units.

Answer 135

A

the plan aligns with the organization’s business plan.The steering committee controls the execution of the information security strategy according to the needs of the organization and decides on the project prioritization and the execution plan. The steering committee does not allocate department budgets for business units. While ensuring that regulatory oversight requirements are met could be a consideration, it is not the main reason for the review. Reducing the impact on the business units is a secondary concern but not the main reason for the review.

Answer 136

A

Organizational objectives and risk appetiteWhile defining risk management strategies, one needs to analyze the organization’s objectives and risk appetite and define a risk management framework based on this analysis. Some organizations may accept known risks, while others may invest in and apply mitigation controls to reduce risks. Risk assessment criteria would become part of this framework, but only after proper analysis. IT architecture complexity and enterprise disaster recovery plans are more directly related to assessing risks than defining strategies. Organizational objectives and risk appetite.

Answer 137

A

Preserving the confidentiality of sensitive dataThe goal of information security is to protect the organization’s information assets. International security standards are situational, depending upon the company and its business. Adhering to corporate privacy standards is important, but those standards must be appropriate and adequate and are not the most important factor to consider. All employees are responsible for information security, but it is not the most important factor to consider.

Answer 138

A

To help determine the current state of riskThe BIA is included as part of the process to determine the current state of risk and helps determine the acceptable levels of response from impacts and the current level of response, leading to a gap analysis. Budgeting appropriately may come as a result, but is not the reason to perform the analysis. Performing an analysis may satisfy regulatory requirements, but is not the reason to perform one. Analyzing the effect on the business is part of the process, but one must also determine the needs or acceptable effect or response.

Answer 139

A

acceptanceAcceptance of a risk is an alternative to be considered in the risk mitigation process. Assessment, evaluation and risk quantification are components of the risk analysis process that are completed prior to determining risk mitigation solutions.

Brainscape's Knowledge GenomeTM

CISM Practice A Topic 1 Flashcards

Brainscape's Knowledge Genome^TM