CISM Practice B Topic 1 Flashcards by Nancy Taylor

Which of the following should be the FIRST step in developing an information security plan?

Perform a technical vulnerabilities assessment

Analyze the current business strategy

Perform a business impact analysis

Assess the current levels of security awareness

Analyze the current business strategy

How well did you know this?

Not at all

Perfectly

Senior management commitment and support for information security can BEST be obtained through presentations that:

use illustrative examples of successful attacks.

explain the technical risks to the organization.

evaluate the organization against best security practices.

tie security risks to key business objectives.

How well did you know this?

Not at all

Perfectly

The MOST appropriate role for senior management in supporting information security is the:

evaluation of vendors offering security products.

assessment of risks to the organization.

approval of policy statements and funding.

monitoring adherence to regulatory requirements.

approval of policy statements and funding.

How well did you know this?

Not at all

Perfectly

Which of the following would BEST ensure the success of information security governance within an organization?

Steering committees approve security projects

Security policy training provided to all managers

Security training available to all employees on the intranet

Steering committees enforce compliance with laws and regulations

Steering committees approve security projects

How well did you know this?

Not at all

Perfectly

Information security governance is PRIMARILY driven by:

technology constraints.

regulatory requirements.

litigation potential.

business strategy.

How well did you know this?

Not at all

Perfectly

Which of the following represents the MAJOR focus of privacy regulations?

Unrestricted data mining

Identity theft

Human rights protection

Identifiable personal data

How well did you know this?

Not at all

Perfectly

Investments in information security technologies should be based on:

vulnerability assessments.

value analysis.

business climate.

audit recommendations.

value analysis.

How well did you know this?

Not at all

Perfectly

Retention of business records should PRIMARILY be based on:

business strategy and direction.

regulatory and legal requirements.

storage capacity and longevity.

business case and value analysis.

regulatory and legal requirements.

How well did you know this?

Not at all

Perfectly

Which of the following is characteristic of centralized information security management?

More expensive to administer

Better adherence to policies

More aligned with business unit needs

Faster turnaround of requests

Better adherence to policies

How well did you know this?

Not at all

Perfectly

Successful implementation of information security governance will FIRST require:

security awareness training.

updated security policies.

a computer incident management team.

a security architecture.

updated security policies.

How well did you know this?

Not at all

Perfectly

Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group?

Information security manager

Chief operating officer (COO)

Internal auditor

Legal counsel

Chief operating officer (COO)

How well did you know this?

Not at all

Perfectly

The MOST important component of a privacy policy is:

notifications.

warranties.

liabilities.

geographic coverage.

notifications.

How well did you know this?

Not at all

Perfectly

The cost of implementing a security control should not exceed the:

annualized loss expectancy.

cost of an incident.

asset value.

implementation opportunity costs

asset value.

How well did you know this?

Not at all

Perfectly

When a security standard conflicts with a business objective, the situation should be resolved by:

changing the security standard.

changing the business objective.

performing a risk analysis.

authorizing a risk acceptance.

performing a risk analysis.

How well did you know this?

Not at all

Perfectly

Minimum standards for securing the technical infrastructure should be defined in a security:

strategy.

guidelines.

model.

architecture.

How well did you know this?

Not at all

Perfectly

Which of the following is MOST appropriate for inclusion in an information security strategy?

Business controls designated as key controls

Security processes, methods, tools and techniques

Firewall rule sets, network defaults and intrusion detection system (IDS) settings

Budget estimates to acquire specific security tools

Security processes, methods, tools and techniques

How well did you know this?

Not at all

Perfectly

Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing:

organizational risk.

organization wide metrics.

security needs.

the responsibilities of organizational units.

organizational risk.

How well did you know this?

Not at all

Perfectly

Which of the following roles would represent a conflict of interest for an information security manager?

Evaluation of third parties requesting connectivity

Assessment of the adequacy of disaster recovery plans

Final approval of information security policies

Monitoring adherence to physical security controls

Final approval of information security policies

How well did you know this?

Not at all

Perfectly

Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization?

The information security department has difficulty filling vacancies.

The chief information officer (CIO) approves security policy changes.

The information security oversight committee only meets quarterly.

The data center manager has final signoff on all security projects.

How well did you know this?

Not at all

Perfectly

Which of the following requirements would have the lowest level of priority in information security?

Technical

Regulatory

Privacy

Business

Technical

How well did you know this?

Not at all

Perfectly

When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST?

Develop a security architecture

Establish good communication with steering committee members

Assemble an experienced staff

Benchmark peer organizations

Establish good communication with steering committee members

How well did you know this?

Not at all

Perfectly

It is MOST important that information security architecture be aligned with which of the following?

Industry best practices

Information technology plans

Information security best practices

Business objectives and goals

How well did you know this?

Not at all

Perfectly

Which of the following is MOST likely to be discretionary?

Policies

Procedures

Guidelines

Standards

Guidelines

How well did you know this?

Not at all

Perfectly

Security technologies should be selected PRIMARILY on the basis of their:

ability to mitigate business risks.

evaluations in trade publications.

use of new and emerging technologies.

benefits in comparison to their costs.

ability to mitigate business risks.

How well did you know this?

Not at all

Perfectly

Which of the following are seldom changed in response to technological changes? Standards Procedures Policies Guidelines

Policies

The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: storage capacity and shelf life. regulatory and legal requirements. business strategy and direction. application systems and media.

application systems and media.

Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? More uniformity in quality of service Better adherence to policies Better alignment to business unit needs More savings in total operating costs

Better alignment to business unit needs

Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise? Chief security officer (CSO) Chief operating officer (COO) Chief privacy officer (CPO) Chief legal counsel (CLC)

Chief operating officer (COO)

Which of the following would be the MOST important goal of an information security governance program? Review of internal control mechanisms Effective involvement in business decision making Total elimination of risk factors Ensuring trust in data

Ensuring trust in data

Relationships among security technologies are BEST defined through which of the following? Security metrics Network topology Security architecture Process improvement models

Security architecture

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take? Enforce the existing security standard Change the standard to permit the deployment Perform a risk analysis to quantify the risk Perform research to propose use of a better technology

Perform a risk analysis to quantify the risk

Acceptable levels of information security risk should be determined by: legal counsel. security management. external auditors. the steering committee.

the steering committee.

The PRIMARY goal in developing an information security strategy is to: * establish security metrics and performance monitoring. * educate business process owners regarding their duties. * ensure that legal and regulatory requirements are met * support the business objectives of the organization.

support the business objectives of the organization.

Senior management commitment and support for information security can BEST be enhanced through: a formal security policy sponsored by the chief executive officer (CEO). regular security awareness training for employees. periodic review of alignment with business management goals. senior management signoff on the information security strategy.

periodic review of alignment with business management goals.

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies? Create separate policies to address each regulation Develop policies that meet all mandated requirements Incorporate policy statements provided by regulators Develop a compliance risk assessment

Develop policies that meet all mandated requirements

Which of the following MOST commonly falls within the scope of an information security governance steering committee? Interviewing candidates for information security specialist positions Developing content for security awareness programs Prioritizing information security initiatives Approving access to critical financial systems

Prioritizing information security initiatives

Which of the following is the MOST important factor when designing information security architecture? Technical platform interfaces Scalability of the network Development methodologies Stakeholder requirements

Stakeholder requirements

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)? Knowledge of information technology platforms, networks and development methodologies Ability to understand and map organizational needs to security technologies Knowledge of the regulatory environment and project management techniques Ability to manage a diverse group of individuals and resources across an organization

Ability to understand and map organizational needs to security technologies

Which of the following are likely to be updated MOST frequently? Procedures for hardening database servers Standards for password length and complexity Policies addressing information security governance Standards for document retention and destruction

Procedures for hardening database servers

Who should be responsible for enforcing access rights to application data? Data owners Business process owners The security steering committee Security administrators

Security administrators

The chief information security officer (CISO) should ideally have a direct reporting relationship to the: head of internal audit. chief operations officer (COO). chief technology officer (CTO). legal counsel.

chief operations officer (COO).

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform? Update platform-level security settings Conduct disaster recovery test exercises Approve access to critical financial systems Develop an information security strategy paper

Develop an information security strategy paper

Developing a successful business case for the acquisition of information security software products can BEST be assisted by: assessing the frequency of incidents. quantifying the cost of control failures. calculating return on investment (ROI) projections. comparing spending against similar organizations.

calculating return on investment (ROI) projections.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be: aligned with the IT strategic plan. based on the current rate of technological change. three-to-five years for both hardware and software. aligned with the business strategy.

aligned with the business strategy.

Which of the following is the MOST important information to include in a strategic plan for information security? Information security staffing requirements Current state and desired future state IT capital investment requirements Information security mission statement

Current state and desired future state

Information security projects should be prioritized on the basis of: time required for implementation. impact on the organization. total cost for implementation. mix of resources required.

impact on the organization.

Which of the following is the MOST important information to include in an information security standard? Creation date Author name Initial draft approval date Last review date

Last review date

Which of the following would BEST prepare an information security manager for regulatory reviews? Assign an information security administrator as regulatory liaison Perform self-assessments using regulatory guidelines and reports Assess previous regulatory reports with process owners input Ensure all regulatory inquiries are sanctioned by the legal department

Perform self-assessments using regulatory guidelines and reports

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should: * bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. * establish baseline standards for all locations and add supplemental standards as required. * bring all locations into conformity with a generally accepted set of industry best practices. * establish a baseline standard incorporating those requirements that all jurisdictions have in common.

establish baseline standards for all locations and add supplemental standards as required.

Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk? Ensure that all IT risks are identified Evaluate the impact of information security risks Demonstrate that IT mitigating controls are in place Suggest new IT controls to mitigate operational risk

Evaluate the impact of information security risks

From an information security manager perspective, what is the immediate benefit of clearly defined roles and responsibilities? Enhanced policy compliance Improved procedure flows Segregation of duties Better accountability

Better accountability

An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management? Security metrics reports Risk assessment reports Business impact analysis (BIA) Return on security investment report

Risk assessment reports

Reviewing which of the following would BEST ensure that security controls are effective? Risk assessment policies Return on security investment Security metrics User access rights

Security metrics

Which of the following is responsible for legal and regulatory liability? Chief security officer (CSO) Chief legal counsel (CLC) Board and senior management Information security steering group

Board and senior management

While implementing information security governance an organization should FIRST: adopt security standards. determine security baselines. define the security strategy. establish security policies.

define the security strategy.

Information security policy enforcement is the responsibility of the: security steering committee. chief information officer (CIO). chief information security officer (CISO). chief compliance officer (CCO).

chief information security officer (CISO).

A good privacy statement should include: notification of liability on accuracy of information. notification that information will be encrypted. what the company will do with information it collects. a description of the information classification process

what the company will do with information it collects.

Which of the following would be MOST effective in successfully implementing restrictive password policies? Regular password audits Single sign-on system Security awareness program Penalties for noncompliance

Security awareness program

When designing an information security quarterly report to management, the MOST important element to be considered should be the: information security metrics. knowledge required to analyze each issue. linkage to business area objectives. baseline against which metrics are evaluated.

linkage to business area objectives.

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: corporate data privacy policy. data privacy policy where data are collected. data privacy policy of the headquarters' country. data privacy directive applicable globally.

data privacy policy where data are collected.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: meet with stakeholders to decide how to comply. analyze key risks in the compliance process. assess whether existing controls meet the regulation. update the existing security/privacy policy

assess whether existing controls meet the regulation.

The PRIMARY objective of a security steering group is to: * ensure information security covers all business functions. * ensure information security aligns with business goals. * raise information security awareness across the organization. * implement all decisions on security management across the organization

ensure information security aligns with business goals.

Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security: baseline. strategy. procedure. policy.

policy.

At what stage of the applications development process should the security department initially become involved? When requested At testing At programming At detail requirements

At detail requirements

A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? Examples of genuine incidents at similar organizations Statement of generally accepted best practices Associating realistic threats to corporate objectives Analysis of current technological exposures

Associating realistic threats to corporate objectives

The PRIMARY concern of an information security manager documenting a formal data retention policy would be: generally accepted industry best practices. business requirements. legislative and regulatory requirements. storage availability.

business requirements.

When personal information is transmitted across networks, there MUST be adequate controls over: change management. privacy protection. consent to data transfer. encryption devices.

privacy protection.

An organization's information security processes are currently defined as ad hoc. In seeking to improve their performance level, the next step for the organization should be to: ensure that security processes are consistent across the organization. enforce baseline security levels across the organization. ensure that security processes are fully documented. implement monitoring of key performance indicators for security processes.

ensure that security processes are consistent across the organization.

Who in an organization has the responsibility for classifying information? Data custodian Database administrator Information security officer Data owner

Data owner

What is the PRIMARY role of the information security manager in the process of information classification within an organization? Defining and ratifying the classification structure of information assets Deciding the classification levels applied to the organization's information assets Securing information assets in accordance with their classification Checking if information assets have been classified properly

Defining and ratifying the classification structure of information assets

Logging is an example of which type of defense against systems compromise? Containment Detection Reaction Recovery

Detection

Which of the following is MOST important in developing a security strategy? Creating a positive business security environment Understanding key business objectives Having a reporting line to senior management Allocating sufficient resources to information security

Understanding key business objectives

Who is ultimately responsible for the organization's information? Data custodian Chief information security officer (CISO) Board of directors Chief information officer (CIO)

Board of directors

Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification? Alignment with industry best practices Business continuity investment Business benefits Regulatory compliance

Regulatory compliance

A security manager meeting the requirements for the international flow of personal data will need to ensure: a data processing agreement. a data protection registration. the agreement of the data subjects. subject access procedures.

the agreement of the data subjects.

An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles? Ethics Proportionality Integration Accountability

Proportionality

Which of the following is the MOST important prerequisite for establishing information securitymanagement within an organization? Senior management commitment Information security framework Information security organizational structure Information security policy

Senior management commitment

What will have the HIGHEST impact on standard information security governance models? Number of employees Distance between physical locations Complexity of organizational structure Organizational budget

Complexity of organizational structure

In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: prepare a security budget. conduct a risk assessment. develop an information security policy. obtain benchmarking information.

conduct a risk assessment.

Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if: it implies compliance risks. short-term impact cannot be determined. it violates industry security practices. changes in the roles matrix cannot be detected.

it implies compliance risks.

An outcome of effective security governance is: business dependency assessment strategic alignment. risk assessment. planning.

strategic alignment.

How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation? Give organization standards preference over local regulations Follow local regulations only Make the organization aware of those standards where local regulations causes conflicts Negotiate a local version of the organization standards

Negotiate a local version of the organization standards

Who should drive the risk analysis for an organization? Senior management Security manager Quality manager Legal department

Security manager

The FIRST step in developing an information security management program is to: * identify business risks that affect the organization. * clarify organizational purpose for creating the program. * assign responsibility for the program. * assess adequacy of controls to mitigate business risks

clarify organizational purpose for creating the program.

Which of the following is the MOST important to keep in mind when assessing the value of information? The potential financial loss The cost of recreating the information The cost of insurance coverage Regulatory requirement

The potential financial loss

What would a security manager PRIMARILY utilize when proposing the implementation of a security solution? Risk assessment report Technical evaluation report Business case Budgetary requirements

Business case

To justify its ongoing security budget, which of the following would be of MOST use to the information security department? Security breach frequency Annualized loss expectancy (ALE) Cost-benefit analysis Peer group comparison

Cost-benefit analysis

Which of the following situations would MOST inhibit the effective implementation of security governance: The complexity of technology Budgetary constraints Conflicting business priorities High-level sponsorship

High-level sponsorship

To achieve effective strategic alignment of security initiatives, it is important that: Steering committee leadership be selected by rotation. Inputs be obtained and consensus achieved between the major organizational units. The business strategy be updated periodically. Procedures and standards be approved by all departmental heads.

Inputs be obtained and consensus achieved between the major organizational units.

What would be the MOST significant security risks when using wireless local area network (LAN) technology? Man-in-the-middle attack Spoofing of data packets Rogue access point Session hijacking

Rogue access point

When developing incident response procedures involving servers hosting critical applications, which of the following should be the FIRST to be notified? Business management Operations manager Information security manager System users

Information security manager

In implementing information security governance, the information security manager is PRIMARILY responsible for: developing the security strategy. reviewing the security strategy. communicating the security strategy. approving the security strategy

developing the security strategy.

An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of: performance measurement. integration. alignment. value delivery.

alignment.

When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint? Compliance with international security standards. Use of a two-factor authentication system. Existence of an alternate hot site in case of business disruption. Compliance with the organization's information security requirements

Compliance with the organization's information security requirements

To justify the need to invest in a forensic analysis tool, an information security manager should FIRST: review the functionalities and implementation requirements of the solution. review comparison reports of tool implementation in peer companies. provide examples of situations where such a tool would be useful. substantiate the investment in meeting organizational needs.

substantiate the investment in meeting organizational needs.

The MOST useful way to describe the objectives in the information security strategy is through: attributes and characteristics of the "desired state." overall control objectives of the security program. mapping the IT systems to key business processes. calculation of annual loss expectations.

attributes and characteristics of the "desired state."

In order to highlight to management the importance of network security, the security manager should FIRST: * develop a security architecture. * install a network intrusion detection system (NIDS) and prepare a list of attacks. * develop a network security policy. * conduct a risk assessment.

conduct a risk assessment.

When developing an information security program, what is the MOST useful source of information for determining available resources? Proficiency test Job descriptions Organization chart Skills inventory

Skills inventory

The MOST important characteristic of good security policies is that they: state expectations of IT management. state only one general security mandate. are aligned with organizational goals. govern the creation of procedures and guidelines.

are aligned with organizational goals.

An information security manager must understand the relationship between information security and business operations in order to: support organizational objectives. determine likely areas of noncompliance. assess the possible impacts of compromise. understand the threats to the business.

support organizational objectives.

The MOST effective approach to address issues that arise between IT management, business units and security management when implementing a new security strategy is for the information security manager to: * escalate issues to an external third party for resolution. * ensure that senior management provides authority for security to address the issues. * insist that managers or units not in agreement with the security solution accept the risk. * refer the issues to senior management along with any security recommendations.

refer the issues to senior management along with any security recommendations.

Obtaining senior management support for establishing a warm site can BEST be accomplished by: establishing a periodic risk assessment. promoting regulatory requirements. developing a business case. developing effective metrics

developing a business case.

Which of the following would be the BEST option to improve accountability for a system administrator who has security functions? Include security responsibilities in the job description Require the administrator to obtain security certification Train the system administrator on penetration testing and vulnerability assessment Train the system administrator on risk assessment

Include security responsibilities in the job description

Which of the following is the MOST important element of an information security strategy? Defined objectives Time frames for delivery Adoption of a control framework Complete policies

Defined objectives

A multinational organization operating in fifteen countries is considering implementing an information security program. Which factor will MOST influence the design of the Information security program? Representation by regional business leaders Composition of the board Cultures of the different countries IT security skills

Cultures of the different countries

Which of the following is the BEST justification to convince management to invest in an information security program? Cost reduction Compliance with company policies Protection of business assets Increased business value

Increased business valueI

On a company's e-commerce web site, a good legal statement regarding data privacy should include: * a statement regarding what the company will do with the information it collects. * a disclaimer regarding the accuracy of information on its web site. * technical information regarding how information is protected. * a statement regarding where the information is being hosted.

a statement regarding what the company will do with the information it collects.

The MOST important factor in ensuring the success of an information security program is effective: * communication of information security requirements to all users in the organization. * formulation of policies and procedures for information security. * alignment with organizational goals and objectives. * monitoring compliance with information security policies and procedures.

alignment with organizational goals and objectives.

Which of the following would be MOST helpful to achieve alignment between information security and organization objectives? Key control monitoring A robust security awareness program A security program that enables business activities An effective security architecture

A security program that enables business activities

Which of the following BEST contributes to the development of a security governance framework that supports the maturity model concept? Continuous analysis, monitoring and feedback Continuous monitoring of the return on security investment (ROI) Continuous risk reduction Key risk indicator (KRI) setup to security management processes

Continuous analysis, monitoring and feedback

The MOST complete business case for security solutions is one that: includes appropriate justification. explains the current risk profile. details regulatory requirements. identifies incidents and losses.

includes appropriate justification.

Which of the following is MOST important to understand when developing a meaningful information security strategy? Regulatory environment International security standards Organizational risks Organizational goals

Organizational goals

Which of the following is an advantage of a centralized information security organizational structure? It is easier to promote security awareness. It is easier to manage and control. It is more responsive to business unit needs. It provides a faster turnaround for security requests.

It is easier to manage and control.

Which of the following would help to change an organization's security culture? Develop procedures to enforce the information security policy Obtain strong management support Implement strict technical security controls Periodically audit compliance with the information security policy

Obtain strong management support

The BEST way to justify the implementation of a single sign-on (SSO) product is to use: return on investment (ROI). a vulnerability assessment. annual loss expectancy (ALE). a business case.

a business case.

The FIRST step in establishing a security governance program is to: conduct a risk assessment. conduct a workshop for all end users. prepare a security budget. obtain high-level sponsorship.

obtain high-level sponsorship.

An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees flood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of: conflicting security controls with organizational needs. strong protection of information resources. implementing appropriate controls to reduce risk. proving information security's protective abilities.

conflicting security controls with organizational needs.

An organization's information security strategy should be based on: * managing risk relative to business objectives. * managing risk to a zero level and minimizing insurance premiums. * avoiding occurrence of risks so that insurance is not required. * transferring most risks to insurers and saving on control costs.

managing risk relative to business objectives.

Which of the following should be included in an annual information security budget that is submitted for management approval? A cost-benefit analysis of budgeted resources All of the resources that are recommended by the business Total cost of ownership (TCO) Baseline comparisons

A cost-benefit analysis of budgeted resources

Which of the following is a benefit of information security governance? Reduction of the potential for civil or legal liability Questioning trust in vendor relationships Increasing the risk of decisions based on incomplete management information Direct involvement of senior management in developing control processes

Reduction of the potential for civil or legal liability

Investment in security technology and processes should be based on: * clear alignment with the goals and objectives of the organization. * success cases that have been experienced in previous projects. * best business practices. * safeguards that are inherent in existing technology.

clear alignment with the goals and objectives of the organization.

The data access requirements for an application should be determined by the: legal department. compliance officer. information security manager. business owner.

business owner.

From an information security perspective, information that no longer supports the main purpose of the business should be: analyzed under the retention policy. protected under the information classification policy. analyzed under the backup policy. protected under the business impact analysis (BIA).

analyzed under the retention policy.

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration? Laws and regulations of the country of origin may not be enforceable in the foreign country. A security breach notification might get delayed due to the time difference. Additional network intrusion detection sensors should be installed, resulting in an additional cost. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

Laws and regulations of the country of origin may not be enforceable in the foreign country.

Effective IT governance is BEST ensured by: * utilizing a bottom-up approach. * management by the IT department. * referring the matter to the organization's legal department. * utilizing a top-down approach.

utilizing a top-down approach.

The FIRST step to create an internal culture that focuses on information security is to: implement stronger controls. conduct periodic awareness training. actively monitor operations. gain the endorsement of executive management.

gain the endorsement of executive management.

Which of the following is the BEST method or technique to ensure the effective implementation of an information security program? Obtain the support of the board of directors. Improve the content of the information security awareness program. Improve the employees' knowledge of security policies. Implement logical access controls to the information systems.

Obtain the support of the board of directors.

When an organization is implementing an information security governance program, its board of directors should be responsible for: drafting information security policies. reviewing training and awareness programs. setting the strategic direction of the program. auditing for compliance.

setting the strategic direction of the program.

A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager? Acceptance of the business manager's decision on the risk to the corporation Acceptance of the information security manager's decision on the risk to the corporation Review of the assessment with executive management for final input A new risk assessment and BIA are needed to resolve the disagreement

Review of the assessment with executive management for final input

Who is responsible for ensuring that information is categorized and that specific protective measures are taken? The security officer Senior management The end user The custodian

Senior management

An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next? Direct information security on what they need to do Research solutions to determine the proper solutions Require management to report on compliance Nothing; information security does not report to the board

Require management to report on compliance

Information security should be: focused on eliminating all risks. a balance between technical and business requirements. driven by regulatory requirements. defined by the board of directors.

a balance between technical and business requirements.

What is the MOST important factor in the successful implementation of an enterprise wide information security program? Realistic budget estimates Security awareness Support of senior management Recalculation of the work factor

Support of senior management

What is the MAIN risk when there is no user management representation on the Information Security Steering Committee? Functional requirements are not adequately considered. User training programs may be inadequate. Budgets allocated to business units are not appropriate. Information security plans are not aligned with business requirements

Information security plans are not aligned with business requirements

The MAIN reason for having the Information Security Steering Committee review a new security controls implementation plan is to ensure that: * the plan aligns with the organization's business plan. * departmental budgets are allocated appropriately to pay for the plan. * regulatory oversight requirements are met. * the impact of the plan on the business units is reduced.

the plan aligns with the organization's business plan.

Which of the following should be determined while defining risk management strategies? Risk assessment criteria Organizational objectives and risk appetite IT architecture complexity Enterprise disaster recovery plans

Organizational objectives and risk appetite

When implementing effective security governance within the requirements of the company's security strategy, which of the following is the MOST important factor to consider? Preserving the confidentiality of sensitive data Establishing international security standards for data sharing Adhering to corporate privacy standards Establishing system manager responsibility for information security

Preserving the confidentiality of sensitive data

Which of the following is the BEST reason to perform a business impact analysis (BIA)? To help determine the current state of risk To budget appropriately for needed controls To satisfy regulatory requirements To analyze the effect on the business

To help determine the current state of risk

CISM Practice B Topic 1 Flashcards

(140 cards)