CISM 2018 questions and answer (updated)

CISM 2018 questions and answer (updated)Who is charged with creating a model for an organization's data dictionary? The Chief Information Officer is charged with creating a model for an organization's data dictionary. The data dictionary describes the naming conventions of the organization's information. What is strategy? Strategy is the pattern of decisions in an organization that determine and reveal its objectives, purposes or goals. What is Information Security Resource Management? Information Security Resource Management (ISRM) is the processes used to plan, allocate and control information security resources. What is the key goal of information security? The key goal of information security is to reduce adverse impacts on the organization to an acceptable level. What is the key metric of information security? The key metric of information security is to identify adverse impacts of information security incidents experienced by the organization. When does value delivery occur? Value delivery occurs when security investments are optimized in support of organizational objectives. What is the acid test for strategic alignment of security controls? The acid test for strategic alignment of security controls is reverse order evaluation of a specific control that can be tracked back to a specific business requirement. What are the criteria of effective security metrics? The criteria of effective security metrics are as follows: Meaningful; Accurate; Cost-Effective; Repeatable; Predictive; Actionable, and Genuine. What makes a security metric meaningful? A meaningful security metric is one that can be understood by its intended audience. What makes a security metric accurate? An accurate security metric is one that embodies a reasonable degree of precision. What makes a security metric cost-effective? A cost-effective security metric is one that is not too expensive to acquire or maintain. What is a repeatable security metric? A repeatable security metric is one that can be acquired reliably over time. What makes a security metric predictive? A predictive security metric is one that is indicative of outcomes. What make a security metric actionable? An actionable security metric is one that provides clarity as to what action should be taken. What makes a security metric genuine? A genuine security metric is one that is not random or subject to manipulation. What is status quo bias? Status quo bias is the tendency to stick with familiar or known approaches even when they are demonstrably inadequate or ineffective. What is false consensus? False consensus is the tendency to overestimate the extent that others share one's view, beliefs and experiences. What is confirmation bias? Confirmation bias is seeking opinions and facts that support one's own beliefs. What is selective recall? Selective recall is remembering only facts and experiences that reinforce current assumptions. What is biased assimilation? Biased assimilation is only accepting facts that support one's current position or perspective. What is biased evaluation? Biased evaluation is the easy acceptance of evidence that supports one's own hypothesis while contradictory evidence is challenged and almost invariably rejected. What is groupthink? Groupthink is the pressure for agreement in team-based cultures. What is herding instinct? Herding instinct is the desire to conform and seek validation of others. What are the six defined outcomes of security governance? The six defined outcomes of security governance are: 1. Strategic alignment; 2. effective risk management; 3. value delivery; 4. resource management; 5. performance measurement; and, 6. process assurance integration. What are the four domains of the 'COBIT' framework? The four domains of the 'COBIT' framework are: 1. Plan and Organize; 2. Acquire and Implement; .3 Deliver and Support; and, 4. Monitor and Evaluate. What are the 6 maturity levels of the Capability Maturity Model? The six maturity levels of the Capability Maturity Model are numbered from zero to five, and they are as follows: 1. Nonexistent; 2. Ad hoc; 3. Repeatable but intuitive; 4. Defined process; 5. Managed and Measurable; and, 6. Optimized. What is CMM Level 0? CMM LEVEL ZERO: No recognition by organization of need for security. What is CMM Level 1? CMM LEVEL ONE: Risk is considered with no formal process. What is CMM Level 2? CMM LEVEL TWO: Emerging underst