CISM Study Guide Flashcards
The MAIN benefit of implementing a data loss prevention (DLP) solution is to:
A. enhance the organization’s antivirus controls.
B. eliminate the risk of data loss.
C. complement the organization’s detective controls.
D. reduce the need for a security awareness program.
Answer: C
Explanation:
A data loss prevention (DLP) solution is a type of detective control that monitors and prevents
unauthorized transmission or leakage of sensitive data from the organization. A DLP solution can
enhance the organization’s antivirus controls by detecting and blocking malicious code that attempts
to exfiltrate data, but this is not its main benefit.
During which of the following phases should an incident response team document actions required
to remove the threat that caused the incident?
A. Post-incident review
B. Eradication
C. Containment
D. Identification
Answer: B
The eradication phase of incident response is the stage where the incident response team
documents and performs the actions required to remove the threat that caused the incident1. This
phase involves identifying and eliminating the root cause of the incident, such as malware,
compromised accounts, unauthorized access, or misconfigured systems2. The eradication phase also
involves restoring the affected systems to a secure state, deleting any malicious files or artifacts, and
verifying that the threat has been completely removed2. The eradication phase is the first step in
returning a compromised environment to its proper state.
Which of the following is PRIMARILY determined by asset classification?
A. Insurance coverage required for assets
B. Level of protection required for assets
C. Priority for asset replacement
D. Replacement cost of assets
Answer: B
Asset classification is the process of assigning a value to information assets based on their
importance to the organization and the potential impact of their compromise, loss or
damage1. Asset classification helps to determine the level of protection required for assets, which is
proportional to their value and sensitivity. Asset classification also facilitates risk assessment and
management, as well as compliance with legal, regulatory and contractual requirements.
ACISO learns that a third-party service provider did not notify the organization of a data breach that
affected the service provider’s data center. Which of the following should the CISO do FIRST?
A. Recommend canceling the outsourcing contract.
B. Request an independent review of the provider’s data center.
C. Notify affected customers of the data breach.
D. Determine the extent of the impact to the organization.
Answer: D
Explanation:
The CISO should first determine the extent of the impact to the organization by assessing the nature
and scope of the data breach, the type and sensitivity of the data involved, the potential harm to the
organization and its customers, and the legal and contractual obligations of the organization and the
service provider. This will help the CISO to prioritize the appropriate actions and resources to
respond to the incident and mitigate the risks.
An information security manager developing an incident response plan MUST ensure it includes:
A. an inventory of critical data.
B. criteria for escalation.
C. a business impact analysis (BIA).
D. critical infrastructure diagrams.
Answer: B
Explanation:
An incident response plan is a set of procedures and guidelines that define the roles and
responsibilities of the incident response team, the steps to follow in the event of an incident, and the
communication and escalation protocols to ensure timely and effective resolution of incidents. One
of the essential components of an incident response plan is the criteria for escalation, which specify
the conditions and thresholds that trigger the escalation of an incident to a higher level of authority
or a different function within the organization. The criteria for escalation may depend on factors such as the severity, impact, duration, scope, and complexity of the incident, as well as the availability and
capability of the incident response team. The criteria for escalation help to ensure that incidents are
handled by the appropriate personnel, that management is kept informed and involved, and that the necessary resources and support are provided to resolve the incident.
Which of the following BEST supports the incident management process for attacks on an
organization’s supply chain?
A. Including service level agreements (SLAs) in vendor contracts
B. Establishing communication paths with vendors
C. Requiring security awareness training for vendor staff
D. Performing integration testing with vendor systems
Answer: A
Explanation:
The best way to support the incident management process for attacks on an organization’s supply
chain is to establish communication paths with vendors. This means that the organization and its
vendors have clear and agreed-upon channels, methods, and protocols for exchanging information
and coordinating actions in the event of an incident that affects the supply chain.
Which of the following BEST ensures information security governance is aligned with corporate
governance?
A. A security steering committee including IT representation
B. A consistent risk management approach
C. An information security risk register
D. Integration of security reporting into corporate reporting
Answer: D
Explanation:
The best way to ensure information security governance is aligned with corporate governance is to
integrate security reporting into corporate reporting. This will enable the board and senior
management to oversee and monitor the performance and effectiveness of the information security
program, as well as the alignment of information security objectives and strategies with business
goals and risk appetite. Security reporting should provide relevant, timely, accurate, and actionable
information to support decision making and accountability.
Which of the following should an information security manager do FIRST upon learning that some
security hardening settings may negatively impact future business activity?
A. Perform a risk assessment.
B. Reduce security hardening settings.
C. Inform business management of the risk.
D. Document a security exception.
Answer: A
Explanation:
Security hardening is the process of applying security configuration settings to systems and software
to reduce their attack surface and improve their resistance to threats1. Security hardening settings
are based on industry standards and best practices, such as the CIS Benchmarks2, which provide
recommended security configurations for various software applications, operating systems, and
network devices. However, security hardening settings may not always be compatible with the
business requirements and objectives of an organization, and may negatively impact the
functionality, performance, or usability of the systems and software3. Therefore, before applying any
security hardening settings, an information security manager should perform a risk assessment to
evaluate the potential benefits and drawbacks of the settings, and to identify and prioritize the risks
associated with them. A risk assessment is a systematic process of identifying, analyzing, and
evaluating the risks that an organization faces, and determining the appropriate risk responses. A risk
assessment helps the information security manager to balance the security and business needs of the organization, and to communicate the risk level and impact to the relevant stakeholders. A risk
assessment should be performed first, before taking any other actions, such as reducing security
hardening settings, informing business management of the risk, or documenting a security exception, because it provides the necessary information and justification for making informed and rational decisions.
Which of the following is the MOST important reason to ensure information security is aligned with
the organization’s strategy?
A. To identify the organization’s risk tolerance
B. To improve security processes
C. To align security roles and responsibilities
D. To optimize security risk management
Answer: D
Explanation:
= The most important reason to ensure information security is aligned with the organization’s
strategy is to optimize security risk management. Information security is not an isolated function, but
rather an integral part of the organization’s overall objectives, processes, and governance. By
aligning information security with the organization’s strategy, the information security manager can
ensure that security risks are identified, assessed, treated, and monitored in a consistent, effective,
and efficient manner1. Alignment also enables the information security manager to communicate
the value and benefits of information security to senior management and other stakeholders, and to justify the allocation of resources and investments for security initiatives. Alignment also helps to establish clear roles and responsibilities for information security across the organization, and to
foster a culture of security awareness and accountability. Therefore, alignment is essential for optimizing security risk management, which is the process of balancing the protection of information assets with the business objectives and risk appetite of the organization.
Which of the following should be the MOST important consideration when establishing information
security policies for an organization?
A. Job descriptions include requirements to read security policies.
B. The policies are updated annually.
C. Senior management supports the policies.
D. The policies are aligned to industry best practices.
Answer: C
Explanation:
The most important consideration when establishing information security policies for an organization
is to ensure that senior management supports the policies. Senior management support is essential
for the successful implementation and enforcement of information security policies, as it
demonstrates the commitment and accountability of the organization’s leadership to information
security. Senior management support also helps to allocate adequate resources, establish clear roles
and responsibilities, and promote a security-aware culture within the organization. Without senior
management support, information security policies may not be aligned with the organization’s goals
and objectives, may not be communicated and disseminated effectively, and may not be followed or
enforced consistently.
Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?
A. Threat management is enhanced.
B. Compliance status is improved.
C. Security metrics are enhanced.
D. Proactive risk management is facilitated.
Answer: D
Explanation:
A vulnerability assessment process is a systematic and proactive approach to identify, analyze and
prioritize the vulnerabilities in an information system. It helps to reduce the exposure of the system
to potential threats and improve the security posture of the organization. By implementing a
vulnerability assessment process, the organization can facilitate proactive risk management, which is
the PRIMARY benefit of this process. Proactive risk management is the process of identifying,
assessing and mitigating risks before they become incidents or cause significant impact to the
organization. Proactive risk management enables the organization to align its security strategy with
it’s business objectives, optimize its security resources and investments and enhance its resilience
and compliance.
Which of the following is the PRIMARY benefit of implementing a vulnerability assessment process?
A. Threat management is enhanced.
B. Compliance status is improved.
C. Security metrics are enhanced.
D. Proactive risk management is facilitated.
Answer: D
Explanation:
The primary benefit of implementing a vulnerability assessment process is to facilitate proactive risk
management. A vulnerability assessment process is a systematic and periodic evaluation of the
security posture of an information system or network, which identifies and measures the
weaknesses and exposures that may be exploited by threats. By implementing a vulnerability
assessment process, the organization can proactively identify and prioritize the risks, and implement
appropriate controls and mitigation strategies to reduce the likelihood and impact of potential
incidents.
When properly implemented, secure transmission protocols protect transactions:
A. from eavesdropping.
B. from denial of service (DoS) attacks.
C. on the client desktop.
D. in the server’s database.
Answer: A
Explanation:
Secure transmission protocols are network protocols that ensure the integrity and security of data
transmitted across network connections. The specific network security protocol used depends on the
type of protected data and network connection. Each protocol defines the techniques and
procedures required to protect the network data from unauthorized or malicious attempts to read or
exfiltrate information1. One of the most common threats to network data is eavesdropping, which is
the interception and analysis of network traffic by an unauthorized third party. Eavesdropping can
compromise the confidentiality, integrity, and availability of network data, and can lead to data
breaches, identity theft, fraud, espionage, and sabotage.
Which of the following is MOST important to have in place as a basis for developing an effective
information security program that supports the organization’s business goals?
A. Metrics to drive the information security program
B. Information security policies
C. A defined security organizational structure
D. An information security strategy
Answer: D
Explanation:
An information security strategy is the most important element to have in place as a basis for
developing an effective information security program that supports the organization’s business
goals. An information security strategy is a high-level plan that defines the vision, mission,
objectives, scope, and principles of information security for the organization1. It also aligns the
information security program with the organization’s strategy, culture, risk appetite, and governance
framework2. An information security strategy provides the direction, guidance, and justification for
the information security program, and ensures that the program is consistent, coherent, and
comprehensive3. An information security strategy also helps to prioritize the information security
initiatives, allocate the resources and measure the performance and value of the information
security program4.
Which of the following is the MOST important consideration when establishing an organization’s
information security governance committee?
A. Members have knowledge of information security controls.
B. Members are business risk owners.
C. Members are rotated periodically.
D. Members represent functions across the organization.
Answer: D
Explanation:
= The most important consideration when establishing an organization’s information security
governance committee is to ensure that members represent functions across the organization. This is
because the information security governance committee is responsible for setting the direction,
scope, and objectives of the information security program, and for ensuring that the program aligns
with the organization’s business goals and strategies. By having members from different functions,
such as finance, human resources, operations, legal, and IT, the committee can ensure that the
information security program considers the needs, expectations, and perspectives of various
stakeholders, and that the program supports the organization’s mission, vision, and values. Having a
diverse and representative committee also helps to foster a culture of security awareness and
accountability throughout the organization, and to promote collaboration and communication
among different functions.
An information security manager learns that a risk owner has approved exceptions to replace key
controls with weaker compensating controls to improve process efficiency. Which of the following
should be the GREATEST concern?
A. Risk levels may be elevated beyond acceptable limits.
B. Security audits may report more high-risk findings.
C. The compensating controls may not be cost efficient.
D. Noncompliance with industry best practices may result.
Answer: A
Explanation:
Replacing key controls with weaker compensating controls may introduce new vulnerabilities or
increase the likelihood or impact of existing threats, thus raising the risk levels beyond the
acceptable limits defined by the risk appetite and tolerance of the organization. This may expose the
organization to unacceptable losses or damages, such as financial, reputational, legal, or operational.
Therefore, the information security manager should be most concerned about the potential
elevation of risk levels and ensure that the risk owner is aware of the consequences and is accountable
for the decision.
Which of the following BEST indicates that information assets are classified accurately?
A. Appropriate prioritization of information risk treatment
B. Increased compliance with information security policy
C. Appropriate assignment of information asset owners
D. An accurate and complete information asset catalog
Answer: A
Explanation:
The best indicator that information assets are classified accurately is appropriate prioritization of
information risk treatment. Information asset classification is the process of assigning a level of
sensitivity or criticality to information assets based on their value, impact, and legal or regulatory
requirements. The purpose of information asset classification is to facilitate the identification and
protection of information assets according to their importance and risk exposure. Therefore, if
information assets are classified accurately, the organization can prioritize the information risk
treatment activities and allocate the resources accordingly.
Which of the following is MOST important to include in a post-incident review following a data
breach?
A. An evaluation of the effectiveness of the information security strategy
B. Evaluations of the adequacy of existing controls
C. Documentation of regulatory reporting requirements
D. A review of the forensics chain of custom
Answer: B
Explanation:
= A post-incident review is a process of analyzing and learning from a security incident, such as a data
breach, to improve the security posture and resilience of an organization. A post-incident review
should include the following elements12:
A clear and accurate description of the incident, including its scope, impact, timeline, root cause, and
contributing factors.
A detailed assessment of the effectiveness and efficiency of the incident response process, including
the roles and responsibilities, communication channels, coordination mechanisms, escalation
procedures, tools and resources, documentation, and reporting.
An evaluation of the adequacy of existing controls, such as policies, standards, procedures, technical
measures, awareness, and training, to prevent, detect, and mitigate similar incidents in the future.
A list of actionable recommendations and improvement plans, based on the lessons learned and best
practices, to address the identified gaps and weaknesses in the security strategy, governance, risk
management, and incident management.
A follow-up and monitoring mechanism to ensure the implementation and verification of the
recommendations and improvement plans.
The most important element to include in a post-incident review following a data breach is the
evaluation of the adequacy of existing controls, because it directly relates to the security objectives
and requirements of the organization, and provides the basis for enhancing the security posture and
resilience of the organization. Evaluating the existing controls helps to identify the vulnerabilities and
risks that led to the data breach, and to determine the appropriate corrective and preventive actions
to reduce the likelihood and impact of similar incidents in the future. Evaluating the existing controls
also helps to align the security strategy and governance with the business goals and objectives, and
to ensure the compliance with legal, regulatory, and contractual obligations.
Which of the following should be the PRIMARY area of focus when mitigating security risks
associated with emerging technologies?
A. Compatibility with legacy systems
B. Application of corporate hardening standards
C. Integration with existing access controls
D. Unknown vulnerabilities
Answer: D
Explanation:
= The primary area of focus when mitigating security risks associated with emerging technologies is
unknown vulnerabilities. Emerging technologies are new and complex, and often involve multiple
parties, interdependencies, and uncertainties. Therefore, they may have unknown vulnerabilities
that could expose the organization to threats that are difficult to predict, detect, or
prevent1. Unknown vulnerabilities could also result from the lack of experience, knowledge, or best
practices in implementing, operating, or securing emerging technologies2. Unknown vulnerabilities
could lead to serious consequences, such as data breaches, system failures, reputational damage,
legal liabilities, or regulatory sanctions3. Therefore, it is important to focus on identifying, assessing,
and addressing unknown vulnerabilities when mitigating security risks associated with emerging
technologies.
Which of the following would be the MOST effective way to present quarterly reports to the board on
the status of the information security program?
A. A capability and maturity assessment
B. Detailed analysis of security program KPIs
C. An information security dashboard
D. An information security risk register
Answer: C
Explanation:
An information security dashboard is the most effective way to present quarterly reports to the
board on the status of the information security program, because it provides a concise, visual, and
high-level overview of the key performance indicators (KPIs), metrics, and trends of the information
security program. An information security dashboard can help the board to quickly and easily
understand the current state, progress, and performance of the information security program, and to
identify any gaps, issues, or areas of improvement. An information security dashboard can also help
Questions and Answers PDF
16/464
the board to align the information security program with the organization’s business goals and
strategies, and to support the decision-making and oversight functions of the board.
Which of the following Is MOST useful to an information security manager when conducting a post-
incident review of an attack?
A. Cost of the attack to the organization
B. Location of the attacker
C. Method of operation used by the attacker
D. Details from intrusion detection system (IDS) logs
Answer: C
Explanation:
= The method of operation used by the attacker is the most useful information for an information security manager when conducting a post-incident review of an attack. This information can help
identify the root cause of the incident, the vulnerabilities exploited, the impact and severity of the
attack, and the effectiveness of the existing security controls. The method of operation can also
provide insights into the attacker’s motives, skills, and resources, which can help improve the
organization’s threat intelligence and risk assessment.
Which of the following is the MOST important criterion when deciding whether to accept residual
risk?
A. Cost of replacing the asset
B. Cost of additional mitigation
C. Annual loss expectancy (ALE)
D. Annual rate of occurrence
Answer: C
Explanation:
= Annual loss expectancy (ALE) is the most important criterion when deciding whether to accept
residual risk, because it represents the expected monetary loss for an asset due to a risk over a one-
year period. ALE is calculated by multiplying the annual rate of occurrence (ARO) of a risk event by
the single loss expectancy (SLE) of the asset. ARO is the estimated frequency of a risk event occurring
within a one-year period, and SLE is the estimated cost of a single occurrence of a risk event. ALE
helps to compare the cost and benefit of different risk responses, such as avoidance, mitigation,
transfer, or acceptance. Risk acceptance is appropriate when the ALE is lower than the cost of other
risk responses, or when the risk is unavoidable or acceptable within the organization’s risk appetite
and tolerance. ALE also helps to prioritize the risks that need more attention and resources.
An organization is planning to outsource the execution of its disaster recovery activities. Which of the
following would be MOST important to include in the outsourcing agreement?
A. Definition of when a disaster should be declared
B. Requirements for regularly testing backups
C. Recovery time objectives (RTOs)
D. The disaster recovery communication plan
Answer: C
Explanation:
The most important thing to include in the outsourcing agreement for disaster recovery activities is
the recovery time objectives (RTOs). RTOs are the maximum acceptable time frames within which
the critical business processes and information systems must be restored after a disaster or
disruption. RTOs are based on the business impact analysis (BIA) and the risk assessment, and they
reflect the business continuity requirements and expectations of the organization. By including the
RTOs in the outsourcing agreement, the organization can ensure that the service provider is aware of
and committed to meeting the agreed service levels and minimizing the downtime and losses in the
event of a disaster.
An organization plans to offer clients a new service that is subject to regulations. What should the
organization do FIRST when developing a security strategy in support of this new service?
A. Determine security controls for the new service.
B. Establish a compliance program,
C. Perform a gap analysis against the current state
D. Hire new resources to support the service.
Answer: C
Explanation:
A gap analysis is a process of comparing the current state of an organization’s security posture with the desired or required state, and identifying the gaps or discrepancies that need to be addressed. A gap analysis helps to determine the current level of compliance with relevant regulations, standards, and best practices, and to prioritize the actions and resources needed to achieve the desired level of compliance1. A gap analysis should be performed first when developing a security strategy in support of a new service that is subject to regulations, because it provides the following benefits2:
It helps to understand the scope and impact of the new service on the organization’s security objectives, risks, and controls.
It helps to identify the legal, regulatory, and contractual requirements that apply to the new service, and the potential penalties or consequences of non-compliance.
It helps to assess the effectiveness and efficiency of the existing security controls, and to identify the gaps or weaknesses that need to be remediated or enhanced.
It helps to align the security strategy with the business goals and objectives of the new service, and to ensure the security strategy is consistent and coherent across the organization.
It helps to communicate the security requirements and expectations to the stakeholders involved in the new service, and to obtain their support and commitment.
Which of the following is MOST helpful in determining an organization’s current capacity to mitigate
risks?
A. Capability maturity model
B. Vulnerability assessment
C. IT security risk and exposure
D. Business impact analysis (BIA)
Answer: A
Explanation:
A capability maturity model (CMM) is a framework that helps organizations assess and improve their
processes and capabilities in various domains, such as software development, project management, information security, and others1. A CMM defines a set of levels or stages that represent the degree of maturity or effectiveness of an organization’s processes and capabilities in a specific domain. Each level has a set of criteria or characteristics that an organization must meet to achieve that level of
maturity. A CMM also provides guidance and best practices on how to progress from one level to another, and how to measure and monitor the performance and improvement of the processes and
capabilities2.
A CMM is most helpful in determining an organization’s current capacity to mitigate risks, because it provides a systematic and objective way to evaluate the strengths and weaknesses of the
organization’s processes and capabilities related to risk management. A CMM can help an organization identify the gaps and opportunities for improvement in its risk management practices, and prioritize the actions and resources needed to address them. A CMM can also help an organization benchmark its risk management maturity against industry standards or best practices, and demonstrate its compliance with regulatory or contractual requirements.
An organization is close to going live with the implementation of a cloud-based application.
Independent penetration test results have been received that show a high-rated vulnerability. Which
of the following would be the BEST way to proceed?
A. Implement the application and request the cloud service provider to fix the vulnerability.
B. Assess whether the vulnerability is within the organization’s risk tolerance levels.
C. Commission further penetration tests to validate initial test results,
D. Postpone the implementation until the vulnerability has been fixed.
Explanation:
The best way to proceed when an independent penetration test results show a high-rated
vulnerability in a cloud-based application that is close to going live is to assess whether the
vulnerability is within the organization’s risk tolerance levels. This is because the organization should
not implement the application without understanding the potential impact and likelihood of the
vulnerability being exploited, and the cost and benefit of fixing or mitigating the vulnerability. The
organization should also consider the contractual and legal obligations, service level agreements, and
performance expectations of the cloud service provider and the application users. By assessing the
risk tolerance levels, the organization can make an informed and rational decision on whether to
accept, transfer, avoid, or reduce the risk, and how to allocate the resources and responsibilities for
managing the risk.
Which of the following messages would be MOST effective in obtaining senior management’s
commitment to information security management?
A. Effective security eliminates risk to the business.
B. Adopt a recognized framework with metrics.
C. Security is a business product and not a process.
D. Security supports and protects the business.
Answer: D
Explanation:
The message that security supports and protects the business is the most effective in obtaining senior management’s commitment to information security management. This message emphasizes
the value and benefits of security for the organization’s strategic goals, mission, and vision. It also aligns security with the business needs and expectations, and demonstrates how security can enable
and facilitate the business processes and functions.
Who is BEST suited to determine how the information in a database should be classified?
A. Database analyst
B. Database administrator (DBA)
C. Information security analyst
D. Data owner
Answer: D
Explanation:
= Data owner is the best suited to determine how the information in a database should be classified,
because data owner is the person who has the authority and responsibility for the data and its
protection. Data owner is accountable for the business value, quality, integrity, and security of the
data. Data owner also defines the data classification criteria and levels based on the data sensitivity,
criticality, and regulatory requirements. Data owner assigns the data custodian and grants the data
access rights to the data users. Data owner reviews and approves the data classification policies and
procedures, and ensures the compliance with them.
In order to understand an organization’s security posture, it is MOST important for an organization’s
senior leadership to:
A. evaluate results of the most recent incident response test.
B. review the number of reported security incidents.
C. ensure established security metrics are reported.
D. assess progress of risk mitigation efforts.
Answer: D
Explanation:
According to the CISM ReviewManual, an organization’s security posture is the overall condition of
its information security, which is determined by the effectiveness of its security program and the
alignment of its security objectives with its business goals. To understand the security posture, the
senior leadership needs to have a holistic view of the security risks and the actions taken to address
them. Therefore, assessing the progress of risk mitigation efforts is the most important activity for
the senior leadership, as it provides them with the information on how well the security program is
performing and whether it is meeting the expected outcomes.
Which of the following provides an information security manager with the MOST accurate indication
of the organization’s ability to respond to a cyber attack?
A. Walk-through of the incident response plan
B. Black box penetration test
C. Simulated phishing exercise
D. Red team exercise
Answer: D
Explanation:
A red team exercise is a simulated cyber attack conducted by a group of ethical hackers or security experts (the red team) against an organization’s network, systems, and staff (the blue team) to test
the organization’s ability to detect, respond, and recover from a real cyber attack. A red team exercise provides an information security manager with the most accurate indication of the organization’s ability to respond to a cyber attack, because it mimics the tactics, techniques, and procedures of real threat actors, and challenges the organization’s security posture, incident response plan, and security awareness in a realistic and adversarial scenario12. A red team exercise can measure the following aspects of the organization’s cyber attack response capability3:
The effectiveness and efficiency of the security controls and processes in preventing, detecting, and mitigating cyber attacks
The readiness and performance of the incident response team and other stakeholders in following the incident response plan and procedures
The communication and coordination among the internal and external parties involved in the incident response process
The resilience and recovery of the critical assets and functions affected by the cyber attack
The lessons learned and improvement opportunities identified from the cyber attack simulation
Which of the following processes BEST supports the evaluation of incident response effectiveness?
A. Root cause analysis
B. Post-incident review
C. Chain of custody
D. Incident logging
Answer: B
Explanation:
A post-incident review (PIR) is the process of evaluating the effectiveness of the incident response
after the incident has been resolved. A PIR aims to identify the strengths and weaknesses of the
response process, the root causes and impacts of the incident, the lessons learned and best
practices, and the recommendations and action plans for improvement1. A PIR can help an
organization enhance its incident response capabilities, reduce the likelihood and severity of future
incidents, and increase its resilience and maturity2.
A PIR is the best process to support the evaluation of incident response effectiveness, because it
provides a systematic and comprehensive way to assess the performance and outcomes of the
response process, and to identify and implement the necessary changes and improvements. A PIR
involves collecting and analyzing relevant data and feedback from various sources, such as incident
logs, reports, evidence, metrics, surveys, interviews, and observations. A PIR also involves comparing
the actual response with the expected or planned response, and measuring the achievement of the
response objectives and the satisfaction of the stakeholders3. A PIR also involves documenting and
communicating the findings, conclusions, and recommendations of the evaluation, and ensuring that
they are followed up and implemented.
When deciding to move to a cloud-based model, the FIRST consideration should be:
A. storage in a shared environment.
B. availability of the data.
C. data classification.
D. physical location of the data.
Answer: C
Explanation:
The first consideration when deciding to move to a cloud-based model should be data classification, because it helps the organization to identify the sensitivity, value, and criticality of the data that will
be stored, processed, or transmitted in the cloud. Data classification can help the organization to determine the appropriate level of protection, encryption, and access control for the data, and to
comply with the relevant legal, regulatory, and contractual requirements. Data classification can also help the organization to evaluate the suitability, compatibility, and trustworthiness of the cloud service provider and the cloud service model, and to negotiate the terms and conditions of the cloud service contract.
Which of the following is an information security manager’s BEST course of action when a threat intelligence report indicates a large number of ransomware attacks targeting the industry?
A. Increase the frequency of system backups.
B. Review the mitigating security controls.
C. Notify staff members of the threat.
D. Assess the risk to the organization.
Answer: D
Explanation:
The best course of action for an information security manager when a threat intelligence report indicates a large number of ransomware attacks targeting the industry is to assess the risk to the organization. This means evaluating the likelihood and impact of a potential ransomware attack on the organization’s assets, operations, and reputation based on the current threat landscape, the organization’s security posture, and the effectiveness of the existing security controls. A risk assessment can help the information security manager prioritize the most critical assets and processes, identify the gaps and weaknesses in the security architecture, and determine the
appropriate risk response strategies, such as avoidance, mitigation, transfer, or acceptance. A risk assessment can also provide a business case for requesting additional resources or support from
senior management to improve the organization’s security resilience and readiness.
An organization is going through a digital transformation process, which places the IT organization in
an unfamiliar risk landscape. The information security manager has been tasked with leading the IT
risk management process. Which of the following should be given the HIGHEST priority?
A. Identification of risk
B. Analysis of control gaps
C. Design of key risk indicators (KRIs)
D. Selection of risk treatment options
Answer: A
Explanation:
= Identification of risk is the first and most important step in the IT risk management process, especially when the organization is undergoing a digital transformation that introduces new
technologies, processes, and business models. Identification of risk involves determining the sources, causes, and potential consequences of IT-related risks that may affect the organization’s
objectives, assets, and stakeholders. Identification of risk also helps to establish the risk context, scope, and criteria for the subsequent risk analysis, evaluation, and treatment. Without identifying
the risks, the information security manager cannot effectively assess the risk exposure, prioritize the risks, implement appropriate controls, monitor the risk performance, or communicate the risk
information to the relevant parties.
Which of the following BEST ensures timely and reliable access to services?
A. Nonrepudiation
B. Authenticity
C. Availability
D. Recovery time objective (RTO)
Answer: C
Explanation:
= According to the CISM ReviewManual, availability is the degree to which information and systems are accessible to authorized users in a timely and reliable manner1. Availability ensures that services
are delivered to the users as expected and agreed upon. Nonrepudiation is the ability to prove the occurrence of a claimed event or action and its originating entities1. It ensures that the parties involved in a transaction cannot deny their involvement. Authenticity is the quality or state of being genuine or original, rather than a reproduction or fabrication1. It ensures that the identity of a
subject or resource is valid. Recovery time objective (RTO) is the maximum acceptable period of time that can elapse before the unavailability of a business function severely impacts the organization1. It is a metric used to measure the recovery capability of a system or service, not a factor that ensures timely and reliable access to services.
Which of the following is MOST helpful for determining which information security policies should be implemented by an organization?
A. Risk assessment
B. Business impact analysis (BIA)
C. Vulnerability assessment
D. Industry best practices
Answer: A
Explanation:
Information security policies are high-level statements or rules that define the goals and objectives of information security in an organization, and provide the framework and direction for
implementing and enforcing security controls and processes1. Information security policies should be aligned with the organization’s business goals and objectives, and reflect the organization’s risk appetite and tolerance2. Therefore, the most helpful activity for determining which information security policies should be implemented by an organization is a risk assessment.
A risk assessment is a systematic process of identifying, analyzing, and evaluating the risks that an organization faces, and determining the appropriate risk responses
The MOST important reason for having an information security manager serve on the change management committee is to:
A. identify changes to the information security policy.
B. ensure that changes are tested.
C. ensure changes are properly documented.
D. advise on change-related risk.
Answer: D
Explanation:
The most important reason for having an information security manager serve on the change management committee is to advise on change-related risk. Change management is the process of
planning, implementing, and controlling changes to the organization’s IT systems, processes, or services, in order to achieve the desired outcomes and minimize the negative impacts1.
Change-related risk is the possibility of adverse consequences or events resulting from the changes, such as security breaches, system failures, data loss, compliance violations, or customer dissatisfaction2.
The information security manager is responsible for ensuring that the organization’s information assets are protected from internal and external threats, and that the information security objectives
and requirements are aligned with the business goals and strategies
Which of the following parties should be responsible for determining access levels to an application that processes client information?
A. The business client
B. The information security tear
C. The identity and access management team
D. Business unit management
Answer: D
Explanation:
The business client should be responsible for determining access levels to an application that processes client information, because the business client is the owner of the data and the primary
stakeholder of the application. The business client has the best knowledge and understanding of the business requirements, objectives, and expectations of the application, and the sensitivity, value, and criticality of the data. The business client can also define the roles and responsibilities of the users and the access rights and privileges of the users based on the principle of least privilege and
the principle of separation of duties. The business client can also monitor and review the access levels and the usage of the application, and ensure that the access levels are aligned with the
organization’s information security policies and standards.
Which of the following provides the BEST assurance that security policies are applied across business operations?
A. Organizational standards are included in awareness training.
B. Organizational standards are enforced by technical controls.
C. Organizational standards are required to be formally accepted.
D. Organizational standards are documented in operational procedures.
Answer: D
Explanation:
= The best assurance that security policies are applied across business operations is that organizational standards are documented in operational procedures. Operational procedures are the
specific steps and actions that need to be taken to implement and comply with the security policies and standards. They provide clear and consistent guidance for the staff members who are responsible for performing the security tasks and functions. They also help to ensure that the security policies and standards are aligned with the business objectives and processes, and that they are measurable and auditable. Documenting the organizational standards in operational procedures can help to improve the security awareness, accountability, and performance of the staff members,
and to reduce the risks of errors, deviations, and violations.
Which of the following will have the GREATEST influence on the successful adoption of an information security governance program?
A. Security policies
B. Control effectiveness
C. Security management processes
D. Organizational culture
Answer: D
Explanation:
Organizational culture is the set of shared values, beliefs, and norms that influence the way employees think, feel, and behave in the workplace. It affects how employees perceive the importance of information security, how they comply with security policies and procedures, and how they support security initiatives and goals. A strong security culture can foster a sense of ownership,
responsibility, and accountability among employees, as well as a positive attitude toward security awareness and training. A weak security culture can lead to resistance, indifference, or hostility
toward security efforts, as well as increased risks of human errors, negligence, or malicious actions.
Therefore, organizational culture has the greatest influence on the successful adoption of an information security governance program, which requires the commitment and involvement of all
levels of the organization.
An organization is increasingly using Software as a Service (SaaS) to replace in-house hosting and support of IT applications. Which of the following would be the MOST effective way to help ensure
procurement decisions consider information security concerns?
A. Integrate information security risk assessments into the procurement process.
B. Provide regular information security training to the procurement team.
C. Invite IT members into regular procurement teammeetings to influence best practice.
D. Enforce the right to audit in procurement contracts with SaaS vendors.
Answer: A
Explanation:
The best way to ensure that information security concerns are considered during the procurement of SaaS solutions is to integrate information security risk assessments into the procurement process.
This will allow the organization to identify and evaluate the potential security risks and impacts of using a SaaS provider, and to select the most appropriate solution based on the risk appetite and tolerance of the organization. Information security risk assessments should be conducted at the early stages of the procurement process, before selecting a vendor or signing a contract, and should be updated periodically throughout the contract lifecycle.
Which of the following will result in the MOST accurate controls assessment?
A. Mature change management processes
B. Senior management support
C. Well-defined security policies
D. Unannounced testing
Answer: D
Explanation:
Unannounced testing is the most accurate way to assess the effectiveness of controls, as it simulates a real-world scenario and does not allow the staff to prepare or modify their behavior in advance.
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?
A. Determine whether the organization can benefit from adopting the new standard.
B. Obtain legal counsel’s opinion on the standard’s applicability to regulations,
C. Perform a risk assessment on the new technology.
D. Review industry specialists’ analyses of the new standard.
Answer: A
Explanation:
= The first step that the information security manager should recommend when learning of a new standard related to an emerging technology is to determine whether the organization can benefit
from adopting the new standard. This involves evaluating the business objectives, needs, and requirements of the organization, as well as the potential advantages, disadvantages, and challenges
of implementing the new technology and the new standard. The information security manager should also consider the alignment of the new standard with the organization’s existing policies,
procedures, and standards, as well as the impact of the new standard on the organization’s information security governance, risk management, program, and incident management. By conducting a preliminary analysis of the feasibility, suitability, and desirability of the new standard, the information security manager can provide a sound basis for further decision making and planning.
When remote access to confidential information is granted to a vendor for analytic purposes, which of the following is the MOST important security consideration?
A. Data is encrypted in transit and at rest at the vendor site.
B. Data is subject to regular access log review.
C. The vendor must be able to amend data.
D. The vendor must agree to the organization’s information security policy
Answer: D
Explanation:
When granting remote access to confidential information to a vendor, the most important security consideration is to ensure that the vendor complies with the organization’s information security
policy. The information security policy defines the roles, responsibilities, rules, and standards for accessing, handling, and protecting the organization’s information assets. The vendor must agree to the policy and sign a contract that specifies the terms and conditions of the access, the security controls to be implemented, the monitoring and auditing mechanisms, the incident reporting and
response procedures, and the penalties for non-compliance or breach. The policy also establishes the organization’s right to revoke the access at any time if the vendor violates the policy or poses a risk
to the organization.
An organization has received complaints from users that some of their files have been encrypted.
These users are receiving demands for money to decrypt the files. Which of the following would be
the BEST course of action?
A. Conduct an impact assessment.
B. Isolate the affected systems.
C. Rebuild the affected systems.
D. Initiate incident response.
Answer: D
Explanation:
The best course of action when the organization receives complaints from users that some of their files have been encrypted and they are receiving demands for money to decrypt the files is to initiate
incident response. This is because the organization is facing a ransomware attack, which is a type of malicious software that encrypts the victim’s data and demands a ransom for the decryption key.
Ransomware attacks can cause significant disruption, damage, and loss to the organization’s operations, assets, and reputation. Therefore, the organization needs to quickly activate its incident
response plan and team, which are designed to handle such security incidents in a coordinated, effective, and efficient manner.
In which cloud model does the cloud service buyer assume the MOST security responsibility?
A. Disaster Recovery as a Service (DRaaS)
B. Infrastructure as a Service (laaS)
C. Platform as a Service (PaaS)
D. Software as a Service (SaaS)
Answer: B
Explanation:
Infrastructure as a Service (IaaS) is a cloud model in which the cloud service provider (CSP) offers the basic computing resources, such as servers, storage, network, and virtualization, as a service over the
internet. The cloud service buyer (CSB) is responsible for installing, configuring, managing, and securing the operating systems, applications, data, and middleware on top of the infrastructure.
Therefore, the CSB assumes the most security responsibility in the IaaS model, as it has to protect the confidentiality, integrity, and availability of its own assets and information in the cloud environment.
In a business proposal, a potential vendor promotes being certified for international security standards as a measure of its security capability.
Before relying on this certification, it is MOST important that the information security manager confirms that the:
A. current international standard was used to assess security processes.
B. certification will remain current through the life of the contract.
C. certification scope is relevant to the service being offered.
D. certification can be extended to cover the client’s business.
Answer: C
Explanation:
Before relying on a vendor’s certification for international security standards, such as ISO/IEC 27001, it is most important that the information security manager confirms that the certification scope is
relevant to the service being offered. The certification scope defines the boundaries and applicability of the information security management system (ISMS) that the vendor has implemented and
audited. The scope should cover the processes, activities, assets, and locations that are involved in delivering the service to the client. If the scope is too narrow, too broad, or not aligned with the service, the certification may not provide sufficient assurance of the vendor’s security capability and performance.
Reviewing which of the following would be MOST helpful when a new information security manager is developing an information security strategy for a non-regulated organization?
A. Management’s business goals and objectives
B. Strategies of other non-regulated companies
C. Risk assessment results
D. Industry best practices and control recommendations
Answer: A
Explanation:
When a new information security manager is developing an information security strategy for a non-regulated organization, reviewing the management’s business goals and objectives would be the most helpful. This is because the information security strategy should be aligned with and support the organization’s vision, mission, values, and strategic direction. The information security strategy
should also enable the organization to achieve its desired outcomes, such as increasing revenue, reducing costs, enhancing customer satisfaction, or improving operational efficiency. By reviewing
the management’s business goals and objectives, the information security manager can understand the business context, needs, and expectations of the organization, and design the information
security strategy accordingly. The information security manager can also communicate the value proposition and benefits of the information security strategy to the management and other
stakeholders, and gain their support and commitment.
When investigating an information security incident, details of the incident should be shared:
A. widely to demonstrate positive intent.
B. only with management.
C. only as needed,
D. only with internal audit.
Answer: C
Explanation:
When investigating an information security incident, details of the incident should be shared only as needed, according to the principle of least privilege and the need-to-know basis. This means that
only the authorized and relevant parties who have a legitimate purpose and role in the incident response process should have access to the incident information, and only to the extent that is
necessary for them to perform their duties. Sharing incident details only as needed helps to protect the confidentiality, integrity, and availability of the incident information, as well as the privacy and
reputation of the affected individuals and the organization. Sharing incident details only as needed also helps to prevent unauthorized disclosure, modification, deletion, or misuse of the incident
information, which could compromise the investigation, evidence, remediation, or legal actions.
Which of the following should be the PRIMARY consideration when developing an incident response plan?
A. The definition of an incident
B. Compliance with regulations
C. Management support
D. Previously reported incidents
Answer: B
Explanation:
Management support is the primary consideration when developing an incident response plan, as it is essential for obtaining the necessary resources, authority, and commitment for the plan.
Management support also helps to ensure that the plan is aligned with the organization’s business objectives, risk appetite, and security strategy, and that it is communicated and enforced across the
organization. Management support also facilitates the coordination and collaboration among different stakeholders, such as business units, IT functions, legal, public relations, and external parties, during an incident response.
An information security manager finds that a soon-to-be deployed online application will increase risk beyond acceptable levels, and necessary controls have not been included. Which of the following
is the BEST course of action for the information security manager?
A. Instruct IT to deploy controls based on urgent business needs.
B. Present a business case for additional controls to senior management.
C. Solicit bids for compensating control products.
D. Recommend a different application.
Answer: B
Explanation:
The information security manager should present a business case for additional controls to senior management, as this is the most effective way to communicate the risk and the need for mitigation.
Which of the following activities MUST be performed by an information security manager for change requests?
A. Perform penetration testing on affected systems.
B. Scan IT systems for operating system vulnerabilities.
C. Review change in business requirements for information security.
D. Assess impact on information security risk.
Answer: D
The effectiveness of an information security governance framework will BEST be enhanced if:
A. consultants review the information security governance framework.
B. a culture of legal and regulatory compliance is promoted by management.
C. risk management is built into operational and strategic activities.
D. IS auditors are empowered to evaluate governance activities
Answer: B
Explanation:
The effectiveness of an information security governance framework will best be enhanced if risk management is built into operational and strategic activities. This is because risk management is a
key component of information security governance, which is the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with
and support business objectives, are consistent with applicable laws and regulations, and are effectively managed and measured. Risk management involves identifying, analyzing, evaluating, treating, monitoring, and communicating information security risks that may affect the organization’s objectives, assets, and stakeholders. By integrating risk management into operational and strategic activities, the organization can ensure that information security risks are considered and addressed in every decision and action, and that the information security governance framework is aligned with the organization’s risk appetite and tolerance. This also helps to optimize the allocation of resources, enhance the performance and value of information security, and improve the accountability and transparency of information security governance.
The BEST way to identify the risk associated with a social engineering attack is to:
A. monitor the intrusion detection system (IDS),
B. review single sign-on (SSO) authentication lags.
C. test user knowledge of information security practices.
D. perform a business risk assessment of the email filtering system.
Answer: C
Explanation:
The best way to identify the risk associated with a social engineering attack is to test user knowledge of information security practices. Social engineering is a type of attack that exploits human psychology and behavior to manipulate, deceive, or influence users into divulging sensitive information, granting unauthorized access, or performing malicious actions. Therefore, user knowledge of information security practices is a key factor that affects the likelihood and impact of a
social engineering attack. By testing user knowledge of information security practices, such as through quizzes, surveys, or simulated attacks, the information security manager can measure the level of awareness, understanding, and compliance of the users, and identify the gaps, weaknesses, or vulnerabilities that need to be addressed.
Which of the following is MOST critical when creating an incident response plan?
A. Identifying vulnerable data assets
B. Identifying what constitutes an incident
C. Documenting incident notification and escalation processes
D. Aligning with the risk assessment process
Answer: C
Explanation:
= Documenting incident notification and escalation processes is the most critical step when creating an incident response plan, as this ensures that the appropriate stakeholders are informed and
involved in the response process. Identifying vulnerable data assets, what constitutes an incident, and aligning with the risk assessment process are important, but not as critical as documenting the
communication and escalation procedures.
Which is the BEST method to evaluate the effectiveness of an alternate processing site when
continuous uptime is required?
A. Parallel test
B. Full interruption test
C. Simulation test
D. Tabletop test
Answer: A
Explanation:
A parallel test is the best method to evaluate the effectiveness of an alternate processing site when continuous uptime is required. A parallel test involves processing the same transactions or data at
both the primary and the alternate site simultaneously, and comparing the results for accuracy and consistency. A parallel test can validate the functionality, performance, and reliability of the alternate site without disrupting the normal operations at the primary site. A parallel test can also identify and resolve any issues or discrepancies between the two sites before a real disaster occurs. A parallel test can provide a high level of assurance and confidence that the alternate site can support the organization’s continuity requirements.
How does an incident response team BEST leverage the results of a business impact analysis (BIA)?
A. Assigning restoration priority during incidents
B. Determining total cost of ownership (TCO)
C. Evaluating vendors critical to business recovery
D. Calculating residual risk after the incident recovery phase
Answer: A
Explanation:
The incident response team can best leverage the results of a business impact analysis (BIA) by assigning restoration priority during incidents. A BIA is a process that identifies and evaluates the criticality and dependency of the organization’s business functions, processes, and resources, and the potential impacts and consequences of their disruption or loss. The BIA results provide the basis for determining the recovery objectives, strategies, and plans for the organization’s business continuity and disaster recovery. By using the BIA results, the incident response team can prioritize
the restoration of the most critical and time-sensitive business functions, processes, and resources, and allocate the appropriate resources, personnel, and time to minimize the impact and duration of the incident.
Which of the following is MOST important to consider when determining asset valuation?
A. Asset recovery cost
B. Asset classification level
C. Cost of insurance premiums
D. Potential business loss
Answer: D
Explanation:
Potential business loss is the most important factor to consider when determining asset valuation, as it reflects the impact of losing or compromising the asset on the organization’s objectives and
operations. Asset recovery cost, asset classification level, and cost of insurance premiums are also relevant, but not as important as potential business loss, as they do not capture the full value of the
asset to the organization.
An information security manager learns that IT personnel are not adhering to the information security policy because it creates process inefficiencies. What should the information security
manager do FIRST?
A. Conduct user awareness training within the IT function.
B. Propose that IT update information security policies and procedures.
C. Determine the risk related to noncompliance with the policy.
D. Request that internal audit conduct a review of the policy development process
Answer: C
Explanation:
The information security manager should first determine the risk related to noncompliance with the policy, as this will help to understand the impact and likelihood of the policy violation and the
potential consequences for the organization. The information security manager can then use the risk assessment results to communicate the importance of the policy to the IT personnel, propose any necessary changes to the policy or the processes, or request an audit of the policy development process, depending on the situation.
Which of the following is the BEST indication ofa successful information security culture?
A. Penetration testing is done regularly and findings remediated.
B. End users know how to identify and report incidents.
C. Individuals are given roles based on job functions.
D. The budget allocated for information security is sufficient.
Answer: B
Explanation:
The best indication of a successful information security culture is that end users know how to identify and report incidents. This shows that the end users are aware of the information security policies,
procedures, and practices of the organization, and that they understand their roles and responsibilities in protecting the information assets and resources. It also shows that the end users
are engaged and committed to the information security goals and objectives of the organization, and that they are willing to cooperate and collaborate with the information security team and other
stakeholders in preventing, detecting, and responding to information security incidents. A successful information security culture is one that fosters a positive attitude and behavior toward information
security among all members of the organization, and that aligns the information security strategy with the business strategy and the organizational culture
An organization finds it necessary to quickly shift to a work-fromhome model with an increased need for remote access security.
Which of the following should be given immediate focus?
A. Moving to a zero trust access model
B. Enabling network-level authentication
C. Enhancing cyber response capability
D. Strengthening endpoint security
Answer: D
Explanation:
Strengthening endpoint security is the most immediate focus when shifting to a work-from-home model with an increased need for remote access security, as this reduces the risk of unauthorized
access, data leakage, malware infection, and other threats that may compromise the confidentiality, integrity, and availability of the organization’s information assets.
Which of the following is MOST important to ensuring information stored by an organization is protected appropriately?
A. Defining information stewardship roles
B. Defining security asset categorization
C. Assigning information asset ownership
D. Developing a records retention schedule
Answer: C
Explanation:
The most important factor to ensuring information stored by an organization is protected appropriately is assigning information asset ownership. Information asset ownership is the process of identifying and assigning the roles and responsibilities of the individuals or groups who have the authority and accountability for the information assets and their protection. Information asset
owners are responsible for defining the business value, classification, and security requirements of the information assets, as well as granting the access rights and privileges to the information users
and custodians. Information asset owners are also responsible for monitoring and reviewing the security performance and compliance of the information assets, and reporting and resolving any
security issues or incidents. By assigning information asset ownership, the organization can ensure that the information assets are properly identified, categorized, protected, and managed according to their importance, sensitivity, and regulatory obligations.
What is the BEST way to reduce the impact of a successful ransomware attack?
A. Perform frequent backups and store them offline.
B. Purchase or renew cyber insurance policies.
C. Include provisions to pay ransoms ih the information security budget.
D. Monitor the network and provide alerts on intrusions.
Answer: A
Explanation:
Performing frequent backups and storing them offline is the best way to reduce the impact of a successful ransomware attack, as this allows the organization to restore its data and systems without
paying the ransom or losing valuable information.
Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization’s information security program?
A. Focus on addressing conflicts between security and performance.
B. Collaborate with business and IT functions in determining controls.
C. Include information security requirements in the change control process.
D. Obtain assistance from IT to implement automated security cantrals.
Answer: B
Explanation:
The best way for an information security manager to improve the effectiveness of an organization’s information security program is to collaborate with business and IT functions in determining
controls. Collaboration is a key factor for ensuring that the information security program is aligned with the organization’s business objectives, risk appetite, and security strategy, and that it supports the business processes and activities. Collaboration also helps to gain the buy-in, involvement, and ownership of the business and IT functions, who are the primary stakeholders and users of the
information security program.
Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process?
A. To facilitate a qualitative risk assessment following the BIA
B. To increase awareness of information security among key stakeholders
C. To ensure the stakeholders providing input own the related risk
D. To obtain input from as many relevant stakeholders as possible
Answer: D
Explanation:
The most important reason to conduct interviews as part of the business impact analysis (BIA) process is to obtain input from as many relevant stakeholders as possible. A BIA is a process of
identifying and analyzing the potential effects of disruptive events on the organization’s critical business functions, processes, and resources. A BIA helps to determine the recovery priorities,
objectives, and strategies for the organization’s continuity planning. Interviews are one of the methods to collect data and information for the BIA, and they involve direct and interactive communication with the stakeholders who are involved in or affected by the business functions, processes, and resources. By conducting interviews, the information security manager can obtain input from as many relevant stakeholders as possible, such as business owners, managers, users, customers, suppliers, regulators, and partners. This can help to ensure that the BIA covers the full scope and complexity of the organization’s business activities, and that the BIA reflects the accurate, current, and comprehensive views and expectations of the stakeholders. Interviews can also help to validate, clarify, and supplement the data and information obtained from other sources, such as surveys, questionnaires, documents, or systems. Interviews can also help to build rapport, trust, and collaboration among the stakeholders, and to increase their awareness, involvement, and
commitment to the information security and continuity planning.
Which of the following is the PRIMARY reason to perform regular reviews of the cybersecurity threat landscape?
A. To compare emerging trends with the existing organizational security posture
B. To communicate worst-case scenarios to senior management
C. To train information security professionals to mitigate new threats
D. To determine opportunities for expanding organizational information security
Answer: A
Explanation:
The primary reason to perform regular reviews of the cybersecurity threat landscape is to compare emerging trends with the existing organizational security posture, as this helps the information
security manager to identify and prioritize the gaps and risks that need to be addressed. The cybersecurity threat landscape is dynamic and constantly evolving, and the organization’s security posture may not be adequate or aligned with the current and future threats. By reviewing the threat landscape regularly, the information security manager can assess the effectiveness and maturity of the security program, and recommend appropriate actions and controls to improve the security posture and reduce the likelihood and impact of cyberattacks.
Which of the following is the BEST course of action for an information security manager to align security and business goals?
A. Conducting a business impact analysis (BIA)
B. Reviewing the business strategy
C. Defining key performance indicators (KPIs)
D. Actively engaging with stakeholders
Answer: D
Explanation:
= According to the CISM ReviewManual, the information security manager should actively engage with stakeholders to align security and business goals. This means understanding the business needs,
expectations, and risk appetite of the stakeholders, and communicating the value and benefits of security initiatives to them. By engaging with stakeholders, the information security manager can
also gain their support and commitment for security programs and projects, and ensure that security objectives are aligned with business strategy and priorities.
