xx. CISM - Exam Guide > 01. Enterprise Governance > Flashcards

01. Enterprise Governance Flashcards

(125 cards)

Start Studying
1
Q

Enterprise Governance

“A process whereby senior management exerrts strategic control over business functions through policies, objectives, delegation of authority, and monitoring”

This is a definition of what fucntion

A

GOVERNANCE

33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Enterprise Governance

GOVERNANCE is a process whereby senior management exerts strategic control over business functions through what 4 methods

A
  1. POLICIES
  2. OBJECTIVES
  3. DELEGATION OF AUTHORITY
  4. MONITORING

33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Enterprise Governance

GOVERNANCE provides the management oversight of the business to ensure business processes effectively meet the organisations business ____ and ____

A
  1. VISION
  2. OBJECTIVES

33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Enterprise Governance

  1. Organisations usually establish governance through the use of what body of people
  2. This body of people is usually responsible for seeting what business strategy
A
  1. STEERING COMMITTEE
  2. LONG TERM

  • Organisations usually establish governance through steering committees responsible for setting long term business strategy and making changes ot ensure that busines sprocesses continue to support business stragegy and the oragnisations overall needs

33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Enterprise Governance

“Organisations usually establish governance through steering committees responsible for setting long term business strategy and making changes ot ensure that busines sprocesses continue to support business stragegy and the oragnisations overall needs”

This is accomplished through the development and enforcement of what 4 things

A
  1. POLICIES
  2. STANDARDS
  3. PROCEDURES
  4. REQUIREMENTS

33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Enterprise Governance

Information security governance typically focuses on several key processes which include;

[ ] Personnel Management
[ ] Vendor hardware selection
[ ] Sourcing
[ ] Risk Management
[ ] Certicication and Training
[ ] Configuration Management
[ ] Change Management
[ ] Operating system selection
[ ] Access Management
[ ] Vulnerability Management
[ ] Team resource size
[ ] Incident Management
[ ] BCP

A

[X] Personnel Management
[ ] Vendor hardware selection
[X] Sourcing
[X] Risk Management
[ ] Certicication and Training
[X] Configuration Management
[X] Change Management
[ ] Operating system selection
[X] Access Management
[X] Vulnerability Management
[ ] Team resource size
[X] Incident Management
[X] BCP

33

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Enterprise Governance

Information Security is a BUSINESS or STRATEGIC issue

A

BUSINESS

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Enterprise Governance

The main reason typically cited for an information security business issue is what, in relation to individuals in particular roles

A

LACK OF UNDERSTANDING AND COMMITMENT
(board of directors and snr. exec)

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Enterprise Governance

  1. Many people in a business see information security as what sort of issue
  2. In order to be successful, information security must be considered what sort of issue
A
  1. TECHNOLOGY ISSUE
  2. PEOPLE ISSUE

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Enterprise Governance

How can a business be in a position of reduced risk in relation to people at all levels

A

UNDERSTAND ROLES AND RESPONSIBILITIES

  • When people at each level in the organisation understand the importance and impact of information security, their own roles and responsibilities, the organisation will be in a position of reduced risk

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Enterprise Governance

Information security governance is a set of established activities that helps management understand what 3 things in relation to the organisation

A
  1. STATE OF SECURITY PROGRAM
  2. CURRENT RISKS
  3. DIRECT ACTIVITIES

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Enterprise Governance

A goal of the security program is to contribute towards what in relation to the wider business

A

SECURITY STRATEGY

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Enterprise Governance

in order for a security governance program to succeed, what else should the business have established and in place

A

IT GOVERNANCE PROGRAM

34

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Enterprise Governance

“The desired capabilities or end states are ideally expressed in achievable, measurable terms”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

OBJECTIVES

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Enterprise Governance

“This is a plan to achieve one or more objectivies”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

STRATEGY

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Enterprise Governance

“At a minimum, ____ should directly reflect the mission, objectives, and goals of the overall organisation”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

POLICY

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Enterprise Governance

“These should flow directly from the organisations mission, objectives and goals. Whatever is most important to the organisation should also be essential to information security”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

PRIORITIES

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Enterprise Governance

“The technologies, protocols, and practices used by IT should align with the organisations needs. On their own, ____ help drive a consistent approac to solving business challenges. A choice of these should facilitate solutions that meet the organisations needs in a cost-effective and secure manner”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

STANDARDS

  • The choice of standards should facilitate solutions that meet the organisations needs in a cost effective and secure manner

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Enterprise Governance

“Formalised descriptions of repeated business activities include instructions to applicable personnel. Include one or more procedures and definitions of business records and other facts that help workers understand how things are supposed to be done”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

PROCESSES

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Enterprise Governance

“The are formal descriptions of critical activities to ensure desired outcomes”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

CONTROLS

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Enterprise Governance

“The organisations IT and security programs and projects should be organised and performed in a consistent manner that reflects business priorities and supports the business”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

PROGRAM & PROJECT MANAGEMENT

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Enterprise Governance

“____ includes the formal measurement of processes and controls so that management understands and can measure them”

This is the defnition of what artifact or action that forms part of a healthy security governance program

A

METRICS/REPORTING

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Enterprise Governance

Security governance should be practiced in a business in the same way it performs governance in what 2 other areas

A
  1. IT GOVERNANCE
  2. CORPORATE GOVERNANCE

35

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Enterprise Governance

“Management will ensure that risk assessments are performed to identify risks in information systems and supported processes. Follow up actions will bec arried out to reduce the risk of system failure and compromise”

This is a definition of which activity required to protect the organisation

A

RISK MANAGEMENT

36

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
# Enterprise Governance *"Management will ensure that key changes will be made to business processes that will resul tin security improvement"* This is a definition of which activity required to protect the organisation
PROCESS IMPROVEMENT ## Footnote 36
26
# Enterprise Governance *"Management will put technologies and processes in place to ensure that security events and incidents will be identified as quickly as possible"* This is a definition of which activity required to protect the organisation
EVENT IDENTIFICATION ## Footnote 36
27
# Enterprise Governance *"Management will put incident response procedures into place to help avoid incidents, reduce impact and probability of incidents, and improve response to incidents to minimise their impact on the organisations"* This is a definition of which activity required to protect the organisation
INCIDENT RESPONSE ## Footnote 37
28
# Enterprise Governance *"Management will identify all applicable laws, regulations, and standards and carry out activitiys to confirm that the orgnaisation can attain and maintain compliance"* This is a definition of which activity required to protect the organisation
IMPROVED COMPLIANCE ## Footnote 37
29
# Enterprise Governance *"Management will define objectives and allocate resources to develop business continuity and disaster recovery plans"* This is a definition of which activity required to protect the organisation
BCP/DR PLANNING ## Footnote 37
30
# Enterprise Governance *"Management will establish processes to measure key security events such as incidents, policy changes and violations, audits, and training"* This is a definition of which activity required to protect the organisation
METRICS ## Footnote 37
31
# Enterprise Governance *"The allocation of workforce budget, and other resources to meet security objectives is monitored by management"* This is a definition of which activity required to protect the organisation
RESOURCE MANAGEMENT ## Footnote 37
32
# Enterprise Governance *"An effective security governance program will result in better strategic descisions in the IT organisation that keep risks at an acceptably low level"* This is a definition of which activity required to protect the organisation
IMPROVED IT GOVERNANCE ## Footnote 37
33
# Enterprise Governance What are the 2 key results of having an effective security governance program in place
1. INCREASED TRUST 2. IMPROVED REPUTATION ## Footnote 1. Customers, suppliers, and partners will trust the organisations to a greater degree when they see that security is managed effectively 2. The business community, including custoemrs, investors, and regulators, will hold the organisation in higher regard 37
34
# Enterprise Governance To be business aligned, people in the security pgoram should be aware of what 5 charactersitics of the organisations; [ ] Size and No. of Employees [ ] Culture [ ] Asset Value [ ] Number of assets [ ] Back up Objective [ ] Risk Tolerance [ ] Legal Obligations [ ] Most importance client [ ] Market Conditions
[ ] Size and No. of Employees [**X**] ***Culture*** [**X**] ***Asset Value*** [ ] Number of assets [ ] Back up Objective [**X**] ***Risk Tolerance*** [**X**] ***Legal Obligations*** [ ] Most importance client [**X**] ***Market Conditions*** ## Footnote 38
35
# Enterprise Governance A risk associated with an overzelous security manager who is more risk-averse than the business itself causing groups within the business to bypass corporate IT processes and procure their own solutions
SHADOW IT ## Footnote 38
36
# Enterprise Governance Goals and objectives further the organisations mission, helping it to achieve what; [ ] Attract new customers [ ] Have a large workforce [ ] Increase market share [ ] Increase revenue/profitability [ ] Grow rapidly
[**X**] ***Attract new customers*** [ ] Have a large workforce [**X**] ***Increase market share*** [**X**] ***Increase revenue/profitability*** [ ] Grow rapidly ## Footnote 38
37
# Enterprise Governance What is the ISACA definition of risk appetite
*"Level of risk an organisation is willing to accept while purusing its mission, strategy, and objectives before taking action to treat the risk"* ## Footnote 39
38
# Enterprise Governance *"the term used that describes how people within an organisation treat one another and how they get things done"* This is a definition of what
ORGANISATIONAL CULTURE ## Footnote 39
39
# Enterprise Governance The way that an organisations leaders treat each other sets what to the rest of the employees
BEHAVIORAL NORMS ## Footnote 39
40
# Enterprise Governance A culture that affects how the organisation deals with risk and how it treats risk over time
RISK CULTURE ## Footnote 39
41
# Enterprise Governance A formal policy statement that defines permitted activities and forbidden activities in an organisation
ACCEPTABLE USE POLICY (AUP) ## Footnote 39
42
# Enterprise Governance A policy that sets to regulate the behaviour of professional sand ensure that those professionals maintain a high standard of conduct
CODE OF ETHICS aka code of conduct ## Footnote 40
43
# Enterprise Governance The UK act and year that sets out the prohibition of individuals or organisations bribing foreign government officals
UK BRIBERY ACT 2010 ## Footnote 40
44
# Enterprise Governance Laws, Regulations, Professional standards and requirements are all examples of *INTERNAL or EXTERNAL* governance
EXTERNAL ## Footnote 40
45
# Enterprise Governance As well as laws, regulations, professional standards and requirements, what else may be a form of external governance imposed on an organisation
CONTRACTUAL REQUIREMENTS ## Footnote 41
46
# Enterprise Governance If an organisation has a hierarchical structure in place i.e. specific departments in place to carry out roles and responsibilities, it can be said to have what sort of structure
FUNCTIONAL ## Footnote 41
47
# Enterprise Governance All different organisational structures in the business, from lower level work sections to higher level departments and divisions, have "what" in regards to cybersecurity
RESPONSIBILITIES ## Footnote * Information security is everyones responsibility 42
48
# Enterprise Governance Information security governance is most effective when every person knows what about their role
WHAT IS EXPECTED OF THEM ## Footnote * Better organisations develop formal roles and responsibilities so that personnel have a clear idea of their part in all matters related to the protection of information systems 42
49
# Enterprise Governance *"A description of the expected activities that an employee is obligated to perform as part of their employment"* What is this a definition of in relation to organisational roles
ROLE ## Footnote 42
50
# Enterprise Governance *"Roles are typically associated with this label, the label being assigned to each person that designates their place in the organisation"* What is this a definition of in relation to organisational roles
JOB TITLE ## Footnote 42
51
# Enterprise Governance *"A statement of activities that a person is expected to perform"* What is this a definition of in relation to organisational roles
RESPONSIBILITIES ## Footnote 43
52
# Enterprise Governance A chart that assigns levels of responsibility to individuals and groups
RACI ## Footnote 43
53
# Enterprise Governance *"The person or group that performs the actual work or task"* This is a definition of which function in a RACI chart
RESPONSIBLE ## Footnote 44
54
# Enterprise Governance *"The person who is ultimately answerable for complete, accurate, and timely execution of the work"* This is a definition of which function in a RACI chart
ACCOUNTABLE ## Footnote 44
55
# Enterprise Governance *"One or more people or groups enagaged with to determine their opinions, experiences, or insight"* This is a definition of which function in a RACI chart
CONSULTED ## Footnote 44
56
# Enterprise Governance *"One or more people or groups spoken to by those in other roles"* This is a definition of which function in a RACI chart
INFORMED ## Footnote 44
57
# Enterprise Governance When assigning roles to individuals and groups in a RACI chart, what 3 specific aspects must be considered [ ] Age of employee [ ] Skills/Capabilities [ ] Segregation of duties [ ] Conflict of interest [ ] Resource availability
[ ] Age of employee [**X**] ***Skills/Capabilities*** [**X**] ***Segregation of duties*** [**X**] ***Conflict of interest*** [ ] Resource availability ## Footnote 45
58
# Enterprise Governance A duty that baord of directors have that holds them accountable to shareholders or constituents, and to act in the organisations best interests
FIDUCIARY DUTY ## Footnote 45
59
# Enterprise Governance What are 3 reasons that a board member may be selected into the role; [ ] Gender [ ] Investor representation [ ] Age [ ] Business experience [ ] Access to resources [ ] Financially well off
[ ] Gender [**X**] ***Investor representation*** [ ] Age [**X**] ***Business experience*** [**X**] ***Access to resources*** [ ] Financially well off ## Footnote 45
60
# Enterprise Governance The National Association of Corporate Directors (NACD) has developed 5 principles regarding the importance of information security. Marry up each of the principles in order as listed below [ ] Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular time on board meeting agendas [ ] Directors should understand the legal implications of cyber risks [ ] Board management discussions should include identification and qualification of financial exposure to cyber risks [ ] Directros should set the expectation that management will establish an enterprise wider cyber risk management framework [ ] Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk **OPTIONS** Principle 1 Principle 2 Principle 3 Principle 4 Principle 5
[**3**] Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular time on board meeting agendas [**2**] Directors should understand the legal implications of cyber risks [**5**] Board management discussions should include identification and qualification of financial exposure to cyber risks [**4**] Directros should set the expectation that management will establish an enterprise wider cyber risk management framework [**1**] Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk ## Footnote 46
61
# Enterprise Governance 1. Develop and operate business-enabling capabilities through the use of information systems is the primary mission of *IT or INFOROMATION SECURITY* 2. Develop a program of risk management, security privacy , and compliance is the primary mission of *IT or INFOROMATION SECURITY*
1. IT 2. INFORMATION SECURITY ## Footnote 46
62
# Enterprise Governance What are the 3 chief title/roles that typically exist within an organisation within the executive team
1. CHIEF INFORMATION OFFICER (CIO) 2. CHIEF TECHNICAL OFFICER (CTO) 3. CHIEF INFORMATION SECURITY OFFICER (CISO) ## Footnote 47
63
# Enterprise Governance What are the 3 key areas that executive management should be involved in; 1. ____ : Security policies developed by the information security function should be visibility endorsed 2. ____ : The executive team should not exhibit behaviour suggesting they are "above" security policy 3. ____ : Responsible for all actions carried out by the personnel who report to them
1. RATIFY CORPORATE SECURITY POLICY 2. LEAD BY EXAMPLE 3. ULTIMATE RESPONSIBILITY ## Footnote 47
64
# Enterprise Governance Who or which group is typically responsible for the following; 1. Risk treatment deliberation and recommendation 2. Discussion and coordination of IT and security projects 3. Review of recent risk assessments 4. Discussion on new laws, regulations, and requirements 5. Review of recent security incidents
STEERING COMMITTEE ## Footnote 47/48
65
# Enterprise Governance A business process and business asset owner is typically someone of a *TECHNICAL or NON TECHNICAL* background in a *SUPPORT or MANAGEMENT* role
1. NON TECHNICAL 2. MANAGEMENT ## Footnote 48
66
# Enterprise Governance The responsibilities of business process and business asset owners includes which 7 functions; [ ] Access grants [ ] Access revocation [ ] Access disposal [ ] Access reviews [ ] Configuration [ ] Editing [ ] Function definition [ ] Safety documentation [ ] Process definition [ ] Physical location
[**X**] ***Access grants*** [**X**] ***Access revocation*** [ ] Access disposal [**X**] ***Access reviews*** [**X**] ***Configuration*** [ ] Editing [**X**] ***Function definition*** [ ] Safety documentation [**X**] ***Process definition*** [**X**] ***Physical location*** ## Footnote 48
67
# Enterprise Governance As a result of asset owners not being involved in the day to day activities related to managing their assets, and other teams acting as proxy to grant and revoke access, what should they do periodically to get a better assessment on their assets
PERIODIC REVIEW ## Footnote 49
68
# Enterprise Governance In origanisations that do not have a CISO, this hampers the visibility and importance of information security and often results in information security being what sort of function i.e. concerned with primary defenses such as firewalls, antivirus, and other tools, and excluding strategy level information security.
TACTICAL FUNCTION ## Footnote 50
69
# Enterprise Governance Not having a CISO often results in teh absence of a security program and the organisations general lack of priority for and awareness of relevent (i) ____ , (ii) ____ , and (iii) ____
1. RISKS 2. THREATS 3. VULNERABILITIES ## Footnote 50
70
# Enterprise Governance A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position; *"Information security is tactical and often views as consisting only of antivirus software and firewalls. The role has no visibility into the development of business objectives. EXecutives consider security as unimportant and based on technology only"*
SECURITY MANAGER ## Footnote 50
71
# Enterprise Governance A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position; *"Information security is essential and has moderate decision making capability but little influence on the business. May have little visibility of overall business strategies and little or no access to exectuvei management or the board of directors"*
SECURITY DIRECTOR ## Footnote 50
72
# Enterprise Governance A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position; *"Information security is strategic but does not influence business strategy and objectives. The role has access to exectuvei management and possibility the board of directors"*
VICE PRESIDENT ## Footnote 50
73
# Enterprise Governance A glance at the title of the highest-ranking infromation security position in a large organisation reveals much about the executive managements opinion on information security. The following defines what role as the highest ranking position; *"Information security is strategic, and business objectives are developed with full consideration for risk. The C-level security person has free access to exectuive management and the board of directors"*
CISO/CIRO/CRO/CSO/vCISO ## Footnote 50
74
# Enterprise Governance The role of a Chief Privacy Officer (CPO) aka Data Protection Officer (DPO) may be required because the organisation stores vast amounts of data which contains what in relation to individuals
PERSONALLY IDENTIFIABLE INFORMATION (PII) ## Footnote 51
75
# Enterprise Governance *"A role that typically includes oversight over policy and organisation functions that come into scope for regulations and standards"* This is a definition of what role
CHIEF COMPLIANCE OFFICER (CPO) ## Footnote 51
76
# Enterprise Governance *"responsible for overall information systems architecture in the organisation"* This is the definition of which software development role
SOFTWARE ARCHITECT ## Footnote 51
77
# Enterprise Governance *"Involved with the design of applications, including changes in applications original design"* This is the definition of which software development role
SYSTEMS ANALYST ## Footnote 51
78
# Enterprise Governance *"Develops application software, custome interfaces, application customisations etc."* This is the definition of what software development role
SOFTWARE ENGINEER/DEVELOPER ## Footnote 51
79
# Enterprise Governance *"Responsible for data architecture and management in large organisations"* This is the definition of what Data Management role
DATA MANAGER ## Footnote 52
80
# Enterprise Governance *"develops logical and physical designs of data models for applications"* This is the definition of what Data Management role
DATA ARCHITECT ## Footnote 52
81
# Enterprise Governance *"Develops data models and data analystics for large, complex data sets"* This is the definition of what Data Management role
BIG DATA ARCHITECT ## Footnote 52
82
# Enterprise Governance *"Builds and maintains databases designed by the database architect and databases that are included as part of purchased applications"* This is the definition of what Data Management role
DATABASE ADMINISTRATOR (DBA) ## Footnote 52
83
# Enterprise Governance *"performs tasks that are junior to the DBA, carrying out routine data maintenance and monitoring tasks"* This is the definition of what Data Management role
DATABASE ANALYST ## Footnote 52
84
# Enterprise Governance *"Applies scientific methods, builds processes, andi mplements systems to extract knowledge or insights from data"* This is the definition of what Data Management role
DATA SCIENTEST ## Footnote 52
85
# Enterprise Governance *"designs data and voice networks and designs changes and upgrades to networks"* This is the definition of which Network Management role
NETWORK ARCHITECT ## Footnote 52
86
# Enterprise Governance *"implements, configures, and maintains network devices such as router,s switches, firewalls, and gateways"* This is the definition of which Network Management role
NETWORK ENGINEER ## Footnote 52
87
# Enterprise Governance *"Performs routine tasks in the network, such as making configuration changes and monitoring event logs"* This is the definition of which Network Management role
NETWORK ADMINISTRATOR ## Footnote 52
88
# Enterprise Governance *"works with telecommunications technologies such as telecom services, data circuits, phone systems etc."* This is the definition of which Network Management role
TELECOM ENGINEER ## Footnote 52
89
# Enterprise Governance *"responsible for the overall architectur of systems (usually servers) in terms of the internal architectur of a system and the relationship between systems"* This is the definition of which Systems Management role
SYSTEMS ARCHITECT ## Footnote 53
90
# Enterprise Governance *"responsible for designing, building, and maintaining servers and server operating systems"* This is the definition of which Systems Management role
SYSTEMS ENGINEER ## Footnote 53
91
# Enterprise Governance *"responsible for designing, building, and maintaining storage subsystems"* This is the definition of which Systems Management role
STORAGE ENGINEER ## Footnote 53
92
# Enterprise Governance *"responsible for performing maintenance and configuration opreations on systems"* This is the definition of which Systems Management role
SYSTEMS ADMINISTRATOR ## Footnote 53
93
# Enterprise Governance *"responsible for overall operations carried out by others"* This is the definition of which IT Operations role
OPERATIONS MANAGER ## Footnote 53
94
# Enterprise Governance *"responsible for developing operational procedures, examining the health of networks, systems, and databases, setting and monitoring operations schedule, and maintaining operations records"* This is the definition of which IT Operations role
OPERATIONS ANALYST ## Footnote 53
95
# Enterprise Governance *"monitors batch jobs, data entry work, and other tasks to make sure they are operating correctly"* This is the definition of which IT Operations role
CONTROLS ANALYST ## Footnote 53
96
# Enterprise Governance *"responsible for monitoring systems and networks, perfroming backup tasks, running batch kobs, printing reports, and perfroming other operational tasks"* This is the definition of which IT Operations role
SYSTEMS OPERATOR ## Footnote 53
97
# Enterprise Governance *"responsible for maintaining and tracking the use and whereabouts of backup volumes"* This is the definition of which IT Operations role
MEDIA MANAGER ## Footnote 53
98
# Enterprise Governance *"responsible for performing risk assessements and maintaining the risk register"* This is the definition of which Governance, Risk, and Compliance (GRC) role
RISK MANAGER ## Footnote 54
99
# Enterprise Governance *"responsible for maintaining security and privacy policy documents and related information. Works closley with the risk manager, identifying risks that may identify the need for new andupdated policy"* This is the definition of which Governance, Risk, and Compliance (GRC) role
POLICY MANAGER ## Footnote 54
100
# Enterprise Governance *"responsible for maintaining security controls, advising control owners on responsibilities and expectations, and assessing controls for effectiveness"* This is the definition of which Governance, Risk, and Compliance (GRC) role
CONTROLS MANAGER ## Footnote 54
101
# Enterprise Governance *"responsible for assessing new and existing vencors and service providers, identifying and reporting on risks, and developing mitigation strategies"* This is the definition of which Governance, Risk, and Compliance (GRC) role
THIRD-PARTY RISK MANGEMENT ## Footnote 54
102
# Enterprise Governance *"responsible for data classification policy and serves as a governance function to manage the organisations use of information"* This is the definition of which Governance, Risk, and Compliance (GRC) role
INFORMATION GOVERNANCE ## Footnote 54
103
# Enterprise Governance *"responsible for developing and delivering content of various types to enable the workforce to understand their informationsecurity and privacy responsibilities"* This is the definition of which Governance, Risk, and Compliance (GRC) role
SECURITY AWARENESS TRAINING ## Footnote 54
104
# Enterprise Governance *"responsible for developing and executing communications plans to keep employees, customers, regulators, and shareholders information of business emergencies and disruptive events"* This is the definition of which Business Resilience role
CRISIS COMMUNCIATIONS ## Footnote 54
105
# Enterprise Governance *"responsible for developing and executing plans to manage business emergencies when they occur"* This is the definition of which Business Resilience role
CRISIS MANAGEMENT ## Footnote 54
106
# Enterprise Governance *"responsible for conducting business impact analysis and criticality analysis and for developing and testing business continuity plans"* This is the definition of which Business Resilience role
BUSINESS CONTINUITY PLANNING ## Footnote 54
107
# Enterprise Governance *"responsible for developing and testing procedures that ensure information systems continued operation and recovery when disruptive events occur"* This is the definition of which Business Resilience role
DISASTER RECOVERY PLANNING ## Footnote 54
108
# Enterprise Governance *"responsible for designing technical security controls, systems, and solutions in contexts such as authentication, audit logging, IDS, IPS, access control, antimalware, and firewalls"* This is the definition of which Security Operations role
SECURITY ARCHITECT ## Footnote 54
109
# Enterprise Governance *"responsible for designing, building, and maintaining security services and systems designed by the security architect"* This is the definition of which Security Operations role
SECURITY ENGINEER ## Footnote 55
110
# Enterprise Governance *"responsible for examining logs from firewalls and IDS and auit logs from systems and applications"* This is the definition of which Security Operations role
SECURITY ANALYST ## Footnote 55
111
# Enterprise Governance *"responsible for conducting forensic investigationson information systems to identify the presence and effect of malware, misbehaviour of employees, and actions taken by intruders"* This is the definition of which Security Operations role
FORENSICS ANALYST ## Footnote 55
112
# Enterprise Governance *"responsible for using tools to identify vulnerabilities ininformation systems and advising system owners to develop mitigation strategies"* This is the definition of which Security Operations role
PENETRATION TESTER ## Footnote 55
113
# Enterprise Governance *"responsible for accepting approved requests for user access management changes"* This is the definition of which Security Operations role
ACCESS ADMINISTRATOR ## Footnote 55
114
# Enterprise Governance *"responsible for audit operations and scheulding and managing audtis"* This is the definition of which Security Audit role
SECURITY AUDIT MANAGER ## Footnote 55
115
# Enterprise Governance *"responsible for performing internal audits of IT controls to ensure that they are operated properly"* This is the definition of which Security Audit role
SECURITY AUDITOR ## Footnote 55
116
# Enterprise Governance *"serves as a liaison between end users and the IT service desk department"* This is the definition of which Service Desk role
SERVICE DESK MANAGER ## Footnote 55
117
# Enterprise Governance *"responsible for providing frontline user support services to personnel in the organisation"* This is the definition of which Service Desk role
SERVICE DESK ANALYST ## Footnote 55
118
# Enterprise Governance *"responsible for facilitating quality improvement activities throughout the IT organisations"* This is the definition of which Quality Assurance role
QA MANAGER ## Footnote 56
119
# Enterprise Governance *"responsible for providing technical support services to other IT personnel and IT customers"* This is the definition of which Service Desk role
TECHNICAL SUPPORT ANALYST ## Footnote 55
120
# Enterprise Governance *"responsible for testing IT systems and applications to confirm whether they are free of defects"* This is the definition of which Quality Assurance role
QC MANAGER ## Footnote 56
121
# Enterprise Governance *"responsible for maintaining business relationships with external vendors, measuring their performance, and handling business issues"* This is the definition of which organisational role
VENDOR MANAGER ## Footnote 56
122
# Enterprise Governance *"responsible for performing tasks supporting numerous functions in IT, information security, and privacy organisations"* This is the definition of which organisational role
BUSINESS ANALYST ## Footnote 56
123
# Enterprise Governance *"responsible for creating project plans and managing IT and securtiy projtects"( This is the definition of which organisational role
PROJECT MANAGER ## Footnote 56
124
# Enterprise Governance *"repsonsible for financial planning and budget management for IT"* This is the definition of which organisational role
FINANCE MANAGER ## Footnote 56
125
# Enterprise Governance General staff have what 4 security related responsibilities as part of their employement; [ ] Understanding and complaying with security policy [ ] Challenging suspicous people in the business [ ] Acceptable use of organisation assets [ ] Proper judgement and proper responses to requests for information [ ] Monitoring personal computer logs for suspicious activity [ ] Reporting security-related incidents [ ] Telling off other staff members non compliant with security policies
[**X**] ***Understanding and complaying with security policy*** [ ] Challenging suspicous people in the business [**X**] ***Acceptable use of organisation assets*** [**X**] ***Proper judgement and proper responses to requests for information*** [ ] Monitoring personal computer logs for suspicious activity [**X**] ***Reporting security-related incidents*** [ ] Telling off other staff members non compliant with security policies ## Footnote 56

xx. CISM - Exam Guide (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions