CISM Exam Questions And Answers
ISACA Definition of Risk Appetite: - ANSWER -The level of risk that an
organization is willing to accept while in pursuit of its mission, strategy, and
objectives, and before action is needed to treat the risk.
ISACA Definition of Risk Capacity: - ANSWER -The objective amount of loss
that an organization can tolerate without its continued existence being called into
question
ISACA Definition of Risk Profile: - ANSWER -Documents the types, amounts
and priority of information risk that an organization finds acceptable and
unacceptable. This profile is developed collaboratively with numerous stakeholders
throughout the organization, including data and process owners, enterprise risk
management, internal and external audit, legal, compliance, & privacy.
Mature Organizations Will: - ANSWER -Develop and publish a statement of risk
tolerance or appetite that expresses risk tolerance levels throughout the business
What do we really need to have a handle on?: - ANSWER -Technology
Architecture
People
Process
Information Security governance is most effective when: - ANSWER -Every
person in the organization knows what is expected of them.
RACI Charts: - ANSWER -Charts that show Responsibility, Accountability,
Consultation, and Informed roles for project stakeholders
Variations of RACI Model: - ANSWER -Participant, Accountable, Review
Required, Input Required, Sign off Required (PARIS)
Perform, Accountable, Control, Support, Informed (PACSI)
,Board of Directors Principle 1 - ANSWER -Approach Cybersecurity as enterprise
wide issue, rather than just IT issue.
Board of Directors Principle 2 - ANSWER -Understand legal implications
associated with cyber risk.
Board of Directors Principle 3 - ANSWER -Boards should have adequate access
to cyber expertise and allow ample time to discuss cyber topics during board
meetings.
Board of Directors Principle 4 - ANSWER -Boards should set the expectation that
management will establish an enterprise-wide cyber-risk management framework
with adequate staffing and budget.
Board of Directors Principle 5 - ANSWER -Board management discussions about
cyber risk should include identification of which risks to avoid, which to accept,
and which to mitigate or transfer through insurance, as well as specific plans
associated with each approach.
Security Steering Committee - ANSWER -Consisting of stakeholders from many
(if not all) of the organizations business units, departments, functions, and
principal locations.
Steering Committee Responsibilities - ANSWER -Risk treatment deliberation and
recommendation
Discussion and coordination of IT and security projects
Review of recent risk assessments
Discussion of new laws, regulations, and requirements
Review of recent security incidents
Function Definition: - ANSWER -In the case of business applications and
services, asset owners determine which functions will be available, how they will
work, and how they will support business processes.
, Process Definition: - ANSWER -Process owners determine the sequences, steps,
roles, and actions carried out in their business processes.
Chief Privacy Officer - ANSWER -Duties mainly involved oversight into the
organizations properly handling and use of PII.
Strategic Alignment: - ANSWER -For a security program to be successful, it must
align to the organizations, mission, strategy.
The Security Balance Scorecard: - ANSWER -A Management tool that is used to
measure the performance and effectiveness of an organization. Includes: Financial,
Customer, Internal Processes and Innovation and Learning
Business Model for Information Security (BMIS): - ANSWER -A holistic and
business-oriented model that supports enterprise governance and management
information security, and provides a common language for information security
professionals and business management
BMIS Pyramid - ANSWER -Elements of IT, people, process, and technology,
while the apex element is the organization.
BMIS (Technology) - ANSWER -Represents all of the systems, applications, and
tools used by practitioners in an organization.
BMIS (Culture) - ANSWER -The culture DI connects the organization and people
elements.
BMIS (Governing) - ANSWER -The governing DI connects the organization and
process elements
BMIS (Architecture) - ANSWER -The purpose of the DI between organization
and technology signifies the need for the use of technology to be planned, order,
and purposeful.
ISACA Definition of Risk Appetite: - ANSWER -The level of risk that an
organization is willing to accept while in pursuit of its mission, strategy, and
objectives, and before action is needed to treat the risk.
ISACA Definition of Risk Capacity: - ANSWER -The objective amount of loss
that an organization can tolerate without its continued existence being called into
question
ISACA Definition of Risk Profile: - ANSWER -Documents the types, amounts
and priority of information risk that an organization finds acceptable and
unacceptable. This profile is developed collaboratively with numerous stakeholders
throughout the organization, including data and process owners, enterprise risk
management, internal and external audit, legal, compliance, & privacy.
Mature Organizations Will: - ANSWER -Develop and publish a statement of risk
tolerance or appetite that expresses risk tolerance levels throughout the business
What do we really need to have a handle on?: - ANSWER -Technology
Architecture
People
Process
Information Security governance is most effective when: - ANSWER -Every
person in the organization knows what is expected of them.
RACI Charts: - ANSWER -Charts that show Responsibility, Accountability,
Consultation, and Informed roles for project stakeholders
Variations of RACI Model: - ANSWER -Participant, Accountable, Review
Required, Input Required, Sign off Required (PARIS)
Perform, Accountable, Control, Support, Informed (PACSI)
,Board of Directors Principle 1 - ANSWER -Approach Cybersecurity as enterprise
wide issue, rather than just IT issue.
Board of Directors Principle 2 - ANSWER -Understand legal implications
associated with cyber risk.
Board of Directors Principle 3 - ANSWER -Boards should have adequate access
to cyber expertise and allow ample time to discuss cyber topics during board
meetings.
Board of Directors Principle 4 - ANSWER -Boards should set the expectation that
management will establish an enterprise-wide cyber-risk management framework
with adequate staffing and budget.
Board of Directors Principle 5 - ANSWER -Board management discussions about
cyber risk should include identification of which risks to avoid, which to accept,
and which to mitigate or transfer through insurance, as well as specific plans
associated with each approach.
Security Steering Committee - ANSWER -Consisting of stakeholders from many
(if not all) of the organizations business units, departments, functions, and
principal locations.
Steering Committee Responsibilities - ANSWER -Risk treatment deliberation and
recommendation
Discussion and coordination of IT and security projects
Review of recent risk assessments
Discussion of new laws, regulations, and requirements
Review of recent security incidents
Function Definition: - ANSWER -In the case of business applications and
services, asset owners determine which functions will be available, how they will
work, and how they will support business processes.
, Process Definition: - ANSWER -Process owners determine the sequences, steps,
roles, and actions carried out in their business processes.
Chief Privacy Officer - ANSWER -Duties mainly involved oversight into the
organizations properly handling and use of PII.
Strategic Alignment: - ANSWER -For a security program to be successful, it must
align to the organizations, mission, strategy.
The Security Balance Scorecard: - ANSWER -A Management tool that is used to
measure the performance and effectiveness of an organization. Includes: Financial,
Customer, Internal Processes and Innovation and Learning
Business Model for Information Security (BMIS): - ANSWER -A holistic and
business-oriented model that supports enterprise governance and management
information security, and provides a common language for information security
professionals and business management
BMIS Pyramid - ANSWER -Elements of IT, people, process, and technology,
while the apex element is the organization.
BMIS (Technology) - ANSWER -Represents all of the systems, applications, and
tools used by practitioners in an organization.
BMIS (Culture) - ANSWER -The culture DI connects the organization and people
elements.
BMIS (Governing) - ANSWER -The governing DI connects the organization and
process elements
BMIS (Architecture) - ANSWER -The purpose of the DI between organization
and technology signifies the need for the use of technology to be planned, order,
and purposeful.
