CISM Self Assessment 1 - 15th Edition Flashcards
A security strategy is important for an organization PRIMARILY because it:
A. provides a basis for determining the best logical security architecture for the organization.
B. provides the approach to achieving the outcomes management wants.
C. provides users guidance on how to operate securely in everyday tasks.
D. helps IS auditors ensure compliance.
B. provides the approach to achieving the outcomes management wants.
A security strategy will define the approach to achieving the security program outcomes management wants. It should also be a statement of how security aligns with and supports business objectives, and it provides the basis for good security governance.
Which of the following is the MOST important reason to provide effective communication about information security?
A. It makes information security more palatable to resistant employees.
B. It mitigates the weakest link in the information security landscape.
C. It informs business units about the information security strategy.
D. It helps the organization conform to regulatory information security requirements.
B. It mitigates the weakest link in the information security landscape.
Security failures are, in the majority of instances, directly attributable to lack of awareness or failure of employees to follow policies or procedures. Communication is important to ensure continued awareness of security policies and procedures among staff and business partners.
Which of the following approaches BEST helps the information security manager achieve compliance with various regulatory requirements?
A. Rely on corporate counsel to advise which regulations are the most relevant.
B. Stay current with all relevant regulations and request legal interpretation.
C. Involve all impacted departments and treat regulations as just another risk.
D. Ignore many of the regulations that have no penalties.
C. Involve all impacted departments and treat regulations as just an
Departments such as human resources, finance and legal are most often subject to new regulations and, therefore, must be involved in determining how best to meet the existing and emerging requirements and, typically, would be most aware of these regulations. Treating regulations as another risk puts them in the proper perspective, and the mechanisms to deal with them should already exist. The fact that there are so many regulations makes it unlikely that they can all be specifically addressed efficiently. Many
do not currently have significant consequences and, in fact, may be addressed by compliance with other regulations. The most relevant response to regulatory requirements is to determine potential impact to the organization just as must be done with any other risk.
The MOST important consideration in developing security policies is that:
A. they are based on a threat profile.
B. they are complete and no detail is left out.
C. management signs off on them.
D. all employees read and understand them.
A. they are based on a threat profile.
The basis for developing relevant security policies
is addressing viable threats to the organization, prioritized by the likelihood of occurrence and
their potential impact on the business. The strictest policies apply to the areas of greatest business value. This ensures that protection proportionality is maintained.
The PRIMARY security objective in creating good procedures is:
A. to make sure they work as intended.
B. that they are unambiguous and meet the standards.
C. that they are written in plain language and widely
distributed.
D. that compliance can be monitored.
B. that they are unambiguous and meet the standards.
All of the answers are important, but the first criterion must be to ensure that there is no ambiguity in the procedures and that, from a security perspective, they meet the applicable standards and, therefore, comply with policy.
Which of the following MOST helps ensure that assignment of roles and responsibilities is effective?
A. Senior management is in support of the assignments. B. The assignments are consistent with existing
proficiencies.
C. The assignments are mapped to required skills.
D. The assignments are given on a voluntary basis.
B. The assignments are consistent with existing
proficiencies.
The level of effectiveness of employees will be determined by their existing knowledge and capabilities—in other words, their proficiencies.
Which of the following benefits is the MOST important to an organization with effective information security governance?
A. Maintaining appropriate regulatory compliance
B. Ensuring disruptions are within acceptable levels
C. Prioritizing allocation of remedial resources
D. Maximizing return on security investments
B. Ensuring disruptions are within acceptable levels
The bottom line of security efforts is to ensure that business can continue to operate with an acceptable level of disruption that does not unduly constrain revenue-producing activities.
From an information security manager’s perspective, the MOST important factors regarding data retention are:
A. business and regulatory requirements.
B. document integrity and destruction.
C. media availability and storage.
D. data confidentiality and encryption.
A. business and regulatory requirements.
Business and regulatory requirements are the
driving factors for data retention.
Which role is in the BEST position to review and confirm the appropriateness of a user access list?
A. Data owner
B. Information security manager
C. Domain administrator
D. Business manager
A. Data owner
The data owner is responsible for periodic reconfirmation of the access lists for systems he/she owns.
In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy.
A. developing the security strategy.
The information security manager is responsible
for developing a security strategy based on business objectives with the help of business process owners and senior management.
