ISACA CISM 2-15 question & answer 2022-24

Questions - correct answer Answers and Explanations Decisions regarding information security are best supported by - correct answer effective metrics effective metrics are essential to provide information needed to make decisions. Metrics are quantifiable entity that allows the measurement of the achievement of a process goal. A project manager is developing a developer portal and request that the security manager assign a public IP address so that it can be accessed by in house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do first? - correct answer understand the business requirements of the portal you cannot make an uninformed decision. Learn and understand the business requirement first! Vulernability accessment and Intrustion detection systems (IDS) are subsequent tasks Which of the following should be understood before defining risk management strategies? - correct answer organizational objectives and risk appetite Analyze the org's objectives and risk appetite, then define a risk mgt framework based on the analysis; Some org's may accept known risks; Primary concern of an info security manager documenting a formal data retention policy is - correct answer Business Requirements! Best practices are useful, but not primary; Legislative or regulatory are only primary if they are part of the business requirments the maturity of an info security program is primarily the result of - correct answer An effective info security strategy; Strategy provides clear direction on how the organization will attain security outcomes and directed by senior mgt; Other note: Assess and analyzing risk is required to develop a strategy; provide info needed to develop it, but will not define the scope and charter of the security program; Security architecture is a part of a larger security plan Applicability statement is part of strategy implementation using ISO 27001 or 27002 after determining the scope & responsibilities of the program which of the following best supports the principle of security proportionality? - correct answer Asset Classification! Classification provides the basis for protecting resources in relation to their importance to the organization; More important assets get proportionally higher level of protection An Ownership schema is one step in achieving proportionality, but other steps must also occur Resource dependency analysis can reveal the level of protection afforded a particular system, but is unrelated to protection of assets! An organization's security awareness program should focus on which of the following? - correct answer An organizations security awareness program should focus on employee behavior and the consequences of both compliance and non compliance with security policy. It is essential to determine the forces that drive the business need for the information security program. Determining drivers is critical to - correct answer Establish the basis for the development of metrics! Determining drivers of the program establishes objectives and is essential to developing relevant metrics for the organization the Info security manager has determined tha a risk exceeds risk appetite, yet the manager does not mitigate the risk. What is the most likely reason that management would consider this course of action appropriate? - correct answer The risk falls within the risk tolerance level! Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.