CISM 2023 EXAM (BRAND NEW!!) TEST BANK QUESTIONS AND CORRECT DETAILED ANSWERS WITH RATIONALES (VERIFIED ANSWERS) |ALREADY GRADED A+

CISM 2023 EXAM (BRAND NEW!!) TEST BANK QUESTIONS AND CORRECT DETAILED ANSWERS WITH RATIONALES (VERIFIED ANSWERS) |ALREADY GRADED A+ What is Information Security Governance. Note there are 5 desired outcomes: - ANSWER- 1. Strategic alignment of information security with business strategy to support organizational objectives 2. Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level 3. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively. 4. Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved 5. Value delivery by optimizing Information - ANSWER- Data endowed with meaning and purpose Benefits from and effective governance program - ANSWER- 1. Strategic Alignment 2. Risk Management 3. Value Delivery 4. Resource Optimization 5 Performance measurement. Strategic Alignment - ANSWER- Aligning info security with the business strategy by providing guidance, develop security solution, and align investment with the business strategy. Risk Management - ANSWER- Is the process by which an organization manages risk to acceptable levels within acceptable tolerances, identifies potential risk and its associated impacts, and prioritizes their mitigation based on the organization's business objectives. Risk management develops and deploys internal controls to manage and mitigate risk throughout the organization. Value Delivery - ANSWER- Optimizing [security investments in support of business objectives]. 1. Create a standard set of security practices (baseline standards), 2. security overheads maintained at minimum levels, institutionalize and commoditize standard-based solution. 3. Understanding end-to-end business organization. Continuous improvement culture. Resource Optimization - ANSWER- Using information security knowledge and infrastructure efficiently and effectively to: 1. Knowledge is captured 2. Document security process 3. Develop security architecture. Performance measurement - ANSWER- Monitoring and reporting on Info Security process to ensure that objectives are achieved, include: 1. meaningful set of metrics are properly aligned with strategic objectives 2. Identify shortcoming 3. Independent audits 4. Identify most useful matric from others Integration - ANSWER- Assurance factors/functions and processes operate as intended from end-to-end. Who is responsible for Information Security Governance - ANSWER- The Board of Directors and Executive management. What is management's responsibility - ANSWER- Establish and maintain a framework to guide the development and management of a comprehensive Info Security Program. Executive management must be supportive of the process and fully understand and agree with the results from the Business Impact Analysis (BIA) since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process. The board of directors does not define information security, but provides direction in support of the business goals and objectives. Executive management holds overall responsibility for protection of the information assets. Routine administration of all aspects of security is delegated, but top management must retain overall accountability. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed. Governance framework consist of: - ANSWER- 1. Comprehensive security strategy linked to the business objectives 2. Complete set of standards for each policy 3. Security Organization Structure 4. Institutionalized metric and monitoring processes. [Is the responsibility of senior management and focuses on creating the mechanisms an organization uses to ensure that personnel follow established processes and procedures.] Senior management that is part of the security steering committee is in the best position to approve plans to implement an information security governance framework. MOST important outcome of aligning information security governance with corporate governance is maximize the cost-effectiveness of controls. An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities- necessary attributes of an effective information security governance framework What is Information Security concerned with. - ANSWER- Information security [deals with all aspects of information, whether spoken, written, printed], electronic or relegated to any other medium, regardless of whether it is being created, viewed, transported, stored or destroyed. Information security controls should be proportionate to the criticality and/or sensitivity of the asset (i.e., the potential impact of compromise). Defining and ratifying the data classification structure is the primary role of the information security manager related to the data classification and handling process within the organization The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. [Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements]. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives. Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However, turnaround can be slower due to the lack of alignment with business units. What is IT security concerned with. - ANSWER- concerned with the security of information within boundaries of the technology domain [custodial capacity]. Example, confidential information disclosed in an elevator or sent via the postal mail is outside the scope of IT security. IT security is not concerned with nature of types of compromise. The fact that security has been breached is what is important. Handling identity management. Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security A set of security objectives, processes, methods, tools and techniques together constitute a security strategy What are the core set of principles to guide implementation of effective information security strategy - ANSWER- 1. Conduct annual information security evaluation 2. Periodic risk assessment 3. Implement policies and procedures based on risk assessment. 4. establish roles and responsibility, authority and accountability. 5. Provide information security to networks, facilities, systems and information. 6. incorporate as part of the system life cycle 7. Training 8. periodic testing and evaluation 9. incident management 10. development and testing of BC