CISM Exam Prep correctly answered 2022/2023

CISM Exam Prep correctly answered 2022/2023Information security governance is primarily driven by: Business strategy Who should drive the risk analysis for an organization? the Security Manager Who should be responsible for enforcing access rights to application data? Security administrators The MOST important component of a privacy policy is: notifications Investment in security technology and processes should be based on: clear alignment with the goals and objectives of the organization Define information security governance 1. A set of policies and procedures that establishes a framework of information security strategies 2. A practice area that ensures efficient utilization of information resources The main purpose of information security governance to ensure the safety of information including its Confidentiality, Integrity and Availability. Information security governance protects information from loss, misuse, unauthorized usage, and destruction during its life cycle or the time it is being used in an organization. Benefits of information security governance - accountability for protecting information during important business activities - reduction of the impact of security incidents - reduction in risks to tolerable limits - protection from civil and legal liabilities - enhancement of trust in customer relationships - assurance of policy compliance - protection of company reputation In order to be effective, information security governance needs to provide 6 basic outcomes: - strategic alignment - value delivery - risk management - performance measurement - resource management - integration Should information security investments be optimized or minimized? Optimized so that they support business objectives. Primary goals of resource management: - keeping a record of security practices and processes - acquiring knowledge and making it accessible - building a security architecture that identifies and uses infrastructure resources properly What is Corporate Governance? Corporate governance is a set of procedures and duties performed by the board of directors and executive management to direct and control the organization. Corporate governance helps the board of directors to • ensure that business objectives are met • provide strategic direction for business activities • verify the efficient use of the organization's resources, and ensure proper handling of business risks Information Security Governance While corporate governance deals with performance and control at all levels of the organization, information security governance is a subset of corporate governance. Information security governance is concerned with the policies and controls related to protecting information in the organization. It helps you to • ensure that information security objectives are achieved • provide strategic direction for information security activities • ensure the efficient use of information resources, and manage information security risks General components of the Information Security Governance Framework are: - security strategy - security policies - standards - security organizational structure - metrics and monitoring Steering Committee Consists of senior representatives of departments that are directly or indirectly affected by information security policies. The steering committee aims to involve all stakeholders influenced by security aspects. Who is responsible for identifying information assets that need to be protected and assigning appropriate priorities and protection levels for them? The Board of Directors