CISM Practice Questions - Chapter 1 Already Graded A

CISM Practice Questions - Chapter 1 Already Graded A CH1: What are the 6 outcomes of Security Governance? 1. Strategic Alignment 2. Risk Management 3. Value Delivery 4. Resource Optimization 5. Performance Measurement 6 Assurance Process Integration CH1: A security strategy is important for an organization PRIMARILY because it: A. provides a basis for determining the best logical security architecture for the organization. B. provides the approach to acheiving the outcomes management wants. C. Provides users guidance on how to operate securely in everyday tasks. D. helps IS auditors ensure compliance. B. A security strategy will define the approach to achieving the security program outcomes management wants. It shouls also be a statement of how security aligns with and supports business objectives, and it provides the basis for good security governance. CH1: Which of the following is the MOST important reason to provide effective communication about information security? A. It makes information security more palatable to resistant employees. B. It mitigates the weakest link in the information security landscape. C. It informs business units about the information security strategy. D. It helps the organization conform to regulatory information security requirements. B. Security failures are, in the majority of instances, directly attributable to lack of awareness or failure of employees to follow policies or procedures. Communication is important to ensure continued awareness of security policies and procedures among staff and business partners. CH1: Which of the following approaches BEST helps the information security manager achieve compliance with various regulatory requirements? A. Rely on corporate counsel to advise which regulations are the most relevant. B. Stay current with all relevant regulations and request legal interpretation. C. Involve all impacted departments and treat regulations as just another risk. D. Ignore many of the regulations that have no penalties. C. Departments such as HR, finance, and legal are most oftensubject to new regulations and therefore must be involved in determining how best to meet the existing and emerging requirements and would be most aware of these regulations. Treating regulations like a risk puts them in the proper perspective and mechanisms to deal with them should already exist. CH1: The MOST important consideration in developing security policies is that: A. they are based on a threat profile. B. they are complete and no detail is left out. C. management signs off on them D. all employees read and understand them. A. The basis for developing relevant security policies is addressing viable threats to the organization, prioritized by the likelihood of occurrence and potential impact on the business. Strictest policies apply to the areas of greatest business value for proportional maintenance. CH1: The PRIMARY security objective in creating good procedures is: A. to make sure they work as intended. B. that they are unambiguous and meet the standards. C. that they are written in plain language and widely distributed. D. that compliance is monitored. B. All are important, but the first criterion must be to ensure there is no ambiguity in the procedures and that from a security perspective, they meet the applicable standards and comply with the policy. CH1: Which of the following MOST helps ensure that assignment of roles and responsibilities is effective: A. Senior management is in support of the assignments. B. The assignments are consistent with existing proficiencies. C. The assignments are mapped to required skills. D. The assignments are given on a voluntary basis. B. The level of effectiveness of employees will be determined by their existing knowledge and capabilities/proficiences. CH1: Which of the following benefits is the MOST important to an organization with effective information security governance? A. Maintaining appropriate regulatory compliance B. Ensuring disruptions are within acceptable levels. C. Prioritizing allocation of remedial resources. D. Maximizing return on security investments. B. The bottom line of security efforts is to ensure that business can continue to operate with an acceptable level of disruption that does now unduly constrain revenue-producing activities. CH1: From an information security manager's perspective, the MOST important factors regarding data retention are: A. business and regulatory requirements. B. document integrity and destruction. C. media availability and storage. D. data confidentiality and encryption. A. Business and regulatory requirements are driving factors for data retention. CH1: Which role is in the BEST position to review and confirm the appropriateness of a user access list? A. Data owner B. Information security manager C. Domain administrator D. Business manager A. The data owner is responsible for periodic reconfirmation of the access lists for systems he/she owns. CH1: In implementing information security governance, the information security manager is PRIMARILY responsible for: A. developing the security strategy. B. reviewing the security strategy. C. communicating the security strategy. D. approving the security strategy. A. The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners and senior management. CH1: What are the 4 elements of the Business Model for Information Security - BMIS (page 31)? 1. Organization Design and Strategy 2. People 3. Process 4. Technology CH1: What are the dynamic interconnections that link the 4 elements together in the Business Model for Information Security - BMIS (page 31)? 1. Governance 2. Culture 3. Enablement and support 4. Emergence 5. Human factors 6. Architecture CH1: What is convergence? The arbitrary division of security-related activities into physical security. CH1: What does the SMART acronym mean when pertaining to metrics? S - Specific M - Measurable A - Attainable R - Relevant T - Timely CH1: What are examples of quantitative security metrics? Downtime Number of system penetrations Impacts and losses Recovery times Number of vulnerabilities uncovered with network scans Percentage of servers patched CH1: What is gap analysis? A basis for an action plan to implement a strategy. Identifies the steps needed to move from current state to desired state to achieve defined objectives. CH1: Information security governance is the responsibility of? Board of Directors Senior Managers CH2: The overall objective of risk management is to: A. Eliminate all vulnerabilities, if possible. B. Reduce risk to the lowest possible level. C. Manage risk to an acceptable level. D. Implement effective countermeasures. C. The objective of risk management is managing risk to a level acceptable to the organization. CH2: The information security manager should treat regulatory compliance as: A. an organizational mandate. B. a risk management priority C. a purely operational issue. D. another risk to be managed. D. There are numerous regulations that my affect an organization. Priority will be a management decision based on those regulations with the greatest level of enforcement (risk) and the most severe sanctions (consequence/impact) in addition to the cost of compliance (mitigation), just as with any other risk. CH2: To address changes in risk, an effective risk management program should: A. ensure that continuous monitoring processes are in place. B. establish proper security baselines for all information resources. C. implement a complete data classification process. D. change security policies on a timely basis to address changing risk. A. Risk changes as threats, vulnerabilities or potential impacts change over time. The risk management program must have processes in place to monitor those changes and modify countermeasures, as appropriate, to maintain acceptable levels of residual risk. CH2: Information classification is important to properly manage risk PRIMARILY because: A. it ensures accountability for information resources as required by roles and responsibilities. B. it is a legal requirement under various regulations. C. it ensures adequate protection of assets commensurate with the degree of risk. D. asset protection can then be based on the potential consequences of compromise. D. Classification is based on potential impact or consequences of compromise. CH2: Vulnerabilities discovered during an assessment should be: A. handled as a risk, even though there is no threat. B. prioritized for remediation solely based on impact. C. a basis for analyzing the effectiveness of controls. D. evaluated for threat, impact, and cost of mitigation. D. Vulnerabilities uncovered should be evaluated and prioritized based on whether there is a credible threat, the impact if the vulnerability is exploited and the cost of mitigation. If there is a potential threat but little or no impact if the vulnerability is exploited, there is little risk, and it may not be cost-effective to address it. CH2: Indemnity agreements can be used to: A. ensure an agreed-upon level of service. B. reduce impacts on organizational resources. C. transfer responsibility to a third party. D. provide an effective countermeasure to threats. B. Indemnity agreements serve to reduce financial impacts by providing compensation for adverse events in the scope of the agreement. CH2: Residual risk can be determined by: A. assessing remaining vulnerabilities. B. performing threat analysis. C. conducting risk assessment. D. implementing risk transfer. C. Regardless of whether risk is residual, it is determined by a risk assessment. CH2: Data owners are PRIMARILY responsible for creating risk mitigation strategies to address which of the following areas? A. Platform security B. Entitlement changes C. Intrusion detection D. Antivirus controls B. Data owners are concerned with, and responsible for, who has access to their resources; therefore, they need to be concerned with the strategy of how to mitigate risk of data resource usage. CH2: A risk analysis should: A. limit the scope to a benchmark of similar companies. B. assume an equal degree of protection for all assets. C. address the potential size and likelihood of loss. D. give more weight to the likelihood vs. the size of the loss. C. A risk analysis deals with the potential size and likelihood of loss. CH2: Which of the following is the FIRST step in selecting the appropriate controls to be implemented in a new business application? A. Business impact analysis (BIA) B. Cost-benefit analysis C. Return on investment (ROI) analysis D. Risk assessment D. It is necessary to first consider the risk and determine whether it is acceptable to the organization. Risk assessment can identify threats and vulnerabilities and calculate the risk. Comtrols are evaluated by comparing the cost of the control against the potential impact if the risk were exploited. CH2: What is information classification? CH2: What is an aggregated risk? When a particular threat affects a large number of minor vulnerabilities that, in the aggregate, can have a significant impact. CH2: What is a cascading risk?