CISM Prep

Question 1

What an effective governance program will use

Answer 1

Balanced scorecard, metrics, and other means to monitor these or other key processes.

Question 2

Information security governance

Answer 2

A set of activities that are established so that management has a clear understanding of the state of the organization’s security programs, its current risks, and its direct activities

Question 3

Issues that Information security can create

Answer 3

business and people issues

Question 4

Goal of the security program

Answer 4

To continue to contribute toward fulfillment of the security strategy, which itself will continue to align to the business and business objective.

Question 5

IT’s role in a successful information security governance

Answer 5

An effective IT governance is required. Without IT governance, information security governance will not be able to reach its full potential

Question 6

Downward vision flow information security governance

Answer 6

1- Business vision to 2- Business strategy ; to 3- Business Objective ; to 4- IT security Strategy ; to 5- IT security strategy; to 6- Security Policy; to 7- Security standards ; to 8- Security process ; to 9-Security Metrics

Question 7

Purpose of security governance

Answer 7

To align the organization’s security program with the business program with the needs of the business.

Question 8

Security Policy

Answer 8

Should at minimum reflect directly the mission, objectives, and goals of the organization.

Question 9

Standards

Answer 9

Help to drive a consistent approach to solving business challenges

Question 10

Processes

Answer 10

Formalized descriptions of repeated business activities that include instructions to applicable personnel.

Question 11

Two keys results of an effective security governance program

Answer 11

• Increased trust Customers, suppliers, and partners trust the organization to a greater degree when they see that security is managed effectively. • Improved reputation The business community, including customers, investors, and regulators, will hold the organization in regard.

Question 12

When does governance begin

Answer 12

With the establishment of top-level strategic objectives that are translated into actions, policies, procedures, and other activities

Question 13

Term information security governance

Answer 13

It refers to collection of top-down activities intended to control the security organization to ensure information security supports the business.

Question 14

Ojectives

Answer 14

Desired capabilities or end states, ideally expressed in archivable, measurable terms.

Question 15

Strategy

Answer 15

Plan to achieve one or more objectives

Question 16

What should be considered when building out governance structure.

Answer 16

CIA ( Confidentiality Integrity Availability )and the type of info used by the business

Question 17

What are the functions and roles inside a typical Cybersecurity Organization?

Answer 17

Eng Ops, Incident Response, Policy Compliance

Question 18

What is the goal of information security and

Answer 18

the goal of information security is to protect the confidentiality, integrity, and availability of an organization’s information and information assets. The goal of cybersecurity is to protect the confidentiality, integrity, and availability of an organization’s digital resources.

Information security, properly defined, is responsible for the security

Question 19

What are Information Security Risks?

Answer 19

Information Security Risks
Security incidents occur when an organization experiences an adverse impact to the confidentiality, integrity, and/or availability of information or information systems. These incidents may occur as the result of malicious activity (such as an attacker targeting the organization and stealing sensitive information); accidental activity (such as an employee leaving an unencrypted laptop in the back of a rideshare); or natural activity (such as an earthquake destroying a data center).

Question 20

the DAD Triad is?

Answer 20

This model explains the three important threats to cybersecurity efforts: disclosure, alteration, and denial. Each of these three threats maps directly to one of the main goals of cybersecurity:

Question 21

Disclosure

Answer 21

Disclosure is the exposure of sensitive information to unauthorized individuals, otherwise known as data loss. Disclosure is a violation of the principle of confidentiality. Attackers who gain access to sensitive information and remove it from the organization are said to be performing data exfiltration. Disclosure may also occur accidentally, such as when an administrator misconfigures access controls or an employee loses a device.

Question 22

Alteration

Answer 22

Alteration is the unauthorized modification of information and is a violation of the principle of integrity. Attackers may seek to modify records contained in a system for financial gain, such as adding fraudulent transactions to a financial account. Alteration may occur as the result of natural activity, such as a power surge causing a “bit flip” that modifies stored data. Accidental alteration is also a possibility, if users unintentionally modify information stored in a critical system as the result of a typo or other unintended activity.

Question 23

Denial

Answer 23

Denial is the disruption of an authorized user’s legitimate access to information. Denial events violate the principle of availability. This availability loss may be intentional, such as when an attacker launches a distributed denial-of-service (DDoS) attack against a website. Denial may also occur as the result of accidental activity, such as the failure of a critical server, or as the result of natural activity, such as a natural disaster impacting a communications circuit.

Question 24

Financial risk

Answer 24

Financial risk is, as the name implies, the risk of monetary damage to the organization as the result of a data breach, service disruption, or other security incident. This may be very direct financial damage, such as the costs of rebuilding a data center after it is physically destroyed or the costs of contracting experts for incident response and forensic analysis services.

Question 25

Reputational risk

Answer 25

Reputational risk occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders. It is often difficult to quantify reputational damage, since these stakeholders may not directly say that they will reduce or eliminate their volume of business with the organization as a result of the security breach. However, the breach may still have an impact on their future decisions about doing business with the organization.

Question 26

Incident Impact

Answer 26

The impacts of a security incident may be wide-ranging, depending on the nature of the incident and the type of organization affected. We can categorize the potential impact of a security incident using the same categories that businesses generally use to describe any type of risk: financial, reputational, strategic, operational, and compliance.

Question 27

Strategic Risk

Answer 27

Strategic risk is the risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach. Consider again the example of an employee losing a laptop that contains new product development plans. In addition to the financial impact discussed earlier, this incident may pose strategic risk to the organization in two different ways.

Question 28

Operational Risk

Answer 28

Operational risk is risk to the organization’s ability to carry out its day-to-day functions. Operational risks may slow down business processes, delay delivery of customer orders, or require the implementation of time-consuming manual workarounds to normally automated practices.

Question 29

Compliance Risk

Answer 29

Compliance risk occurs when a security breach causes an organization to run afoul of legal or regulatory requirements. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that health-care providers and other covered entities protect the confidentiality, integrity, and availability of protected health information (PHI). If an organization loses patient medical records, they run afoul of HIPAA requirements and are subject to sanctions and fines from the U.S. Department of Health and Human Services. That’s an example of compliance risk.

Question 30

Threat vectors

Answer 30

are the tactics, tools, and techniques used by threat actors to achieve their objectives.

Question 31

Threat actors

Answer 31

Threat actors are the individuals or groups seeking to undermine the security of an organization.

Question 32

SWOT analysis

Answer 32

SWOT analysis is a technique commonly used by organizations to assess their current state and develop their forward-looking strategy. SWOT is an acronym describing the four major elements of the analysis:

Question 33

What level in the org conducts the SWOT?

Answer 33

The SWOT analysis may be conducted at any level of the organization. Senior leaders may conduct a SWOT analysis that analyzes the business overall. The CISO may conduct a SWOT analysis for the broad information security function, whereas the director of the incident response team may conduct a SWOT analysis for that specific function.

Question 34

How do organizations define their security requirements ?

Answer 34

After identifying the risks that they face, organizations define their security requirements by writing a series of control objectives that describe how they plan to manage those risks. These control objectives are described from a strategic perspective in a general manner and provide a basis for the evaluation of the organization’s current information security program against its desired state.

Question 35

Gap analysis

Answer 35

gap analysis, identifies areas of deficiency and opportunities for improvement that, if prioritized for remediation, may become the basis for goals in the organization’s information security strategy.

Question 36

CMMI

Answer 36

At Level 1: Initial, the organization has unpredictable processes that are poorly controlled. This level is characterized by reactive management and a “firefighting” approach.
When an organization achieves Level 2: Managed, it begins to implement organized processes on a per-project basis but is still operating in reactive mode.
Moving on to Level 3: Defined, the organization has standard processes that are used organization wide and are adapted for use within each project. This level marks a shift from reactive to proactive management.
Level 4: Quantitatively Managed organizations build measurement and controls on top of their processes to allow them to quickly identify and remediate deficiencies and address control gaps before issues arise.
At the top tier of the CMMI, Level 5: Optimizing organizations use a continuous process improvement approach to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.

Question 37

Information security functions exist for only one purpose

Answer 37

Information security functions exist for only one purpose: to serve the business. Certainly, security teams are focused on protecting the confidentiality, integrity, and availability of that business’s information and systems, but information security managers must remain constantly aware that they do so in service of the organization achieving its business goals and objectives.

Question 38

Why does security need Leadership Support?

Answer 38

As a supporting function, information security initiatives do not generate revenue. Security functions are a cost center from a financial perspective. Every dollar spent on cybersecurity issues is a dollar that cannot be invested elsewhere in the business or returned to shareholders as profit. Therefore, senior business leaders and other stakeholders are often wary of investments in cybersecurity, and achieving their support is crucial to the success of the program.

Question 39

Your organization’s risk tolerance

Answer 39

Your organization’s risk tolerance. This is the degree of risk that you are willing to undertake as you seek to achieve your business objectives. You will learn more about risk tolerance and risk management in Chapter 3, “Information Risk Management.”

Question 40

The regulatory environment within which your organization operates.

Answer 40

The regulatory environment within which your organization operates. This may include federal and state laws and industry codes of practice. You will learn more about regulatory requirements that may apply to your organization in Chapter 2.

Question 41

Changes in the threat landscape.

Answer 41

Changes in the threat landscape. As adversaries adapt their tactics and techniques, your cybersecurity strategy must evolve to combat those changes. You will learn more about the cybersecurity threat landscape in Chapter 4.

Question 42

the senior-level officials who bear overall responsibility for particular datasets.

Answer 42

Data owners are the senior-level officials who bear overall responsibility for particular datasets.
The data owner sets policies and guidelines for data use and data security and has the authority to make final decisions regarding a dataset.
Data owners are usually the business leaders who have responsibility for the mission area most closely related to the dataset. For example, an organization’s vice president for human resources might be the data owner for employment information.

Question 43

Data Owners usually delegate that responsibility to a data steward.

Answer 43

Data Owners usually delegate that responsibility to a data steward. The data steward handles the implementation of the high-level policies set by the data owner. For example, a data steward might make day-to-day decisions about who may access a dataset. In the case of the employee dataset, if the data owner is the vice president for human resources, that vice president might delegate data stewardship responsibility to a director for HR information services. In most cases, there is a reporting relationship between the data owner and the data steward.

Question 44

Data custodians

Answer 44

Data custodians are the individuals who actually store and process the information in question. IT staff often find themselves in the position of data custodians because of their roles as system owners and administrators. Technologists are rarely data owners or data stewards, but they are usually data custodians for almost all of the data in the organization due to the nature of their jobs. Data stewards ensure that appropriate data protections are in place, including encryption, backups, access controls, and other mechanisms that meet the requirements set forth by data owners and stewards.

Question 45

High-risk users

Answer 45

High-risk users who are the likely targets of cyberattacks. This may be because they are high-profile individuals likely to attract attention or because they engage in activities that place them at higher risk, such as frequently traveling to high-risk destinations.

Question 46

Privileged users

Answer 46

Privileged users who would pose a higher-than-average risk if their accounts were compromised. This includes technologists with administrative access to systems, finance professionals with the ability to initiate funds transfers, executives with access to sensitive information, and other similar highly privileged groups.

Question 47

How do you document a security strategy?

Answer 47

Question 48

Security Control Categories

Answer 48

Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.
Operational controls include the processes that we put in place to manage technology in a secure manner. These include user access reviews, log monitoring, and vulnerability management.
Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples of administrative controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices.

Question 49

Security Control Types
We can also divide security controls into categories, based on their desired effect. The types of security control include the following:

Answer 49

Preventive controls intend to stop a security issue before it occurs. Firewalls and encryption are examples of preventive controls.
Detective controls identify security events that have already occurred. Intrusion detection systems are detective controls.
Corrective controls remediate security issues that have already occurred. Restoring backups after a ransomware attack is an example of a corrective control.
Deterrent controls seek to discourage an attacker from attempting to violate security policies. Vicious guard dogs and barbed wire fences are examples of deterrent controls.
Physical controls are security controls that impact the physical world. Examples of physical security controls include fences, perimeter lighting, locks, fire suppression systems, and burglar alarms.
Compensating controls are controls designed to mitigate the risk associated with exceptions made to a security policy.

Question 50

three states in which data might exist:

Answer 50

Data at rest is stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to pilfering by insiders or external attackers who gain access to systems and are able to browse through their contents.
Data in motion is data that is in transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.
Data in processing is data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.

Question 51

Data Protection Techniques

Answer 51

Data Encryption
Encryption technology uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems. Encrypted data is unintelligible to anyone who does not have access to the appropriate decryption key, making it safe to store and transmit encrypted data over otherwise insecure means.

We’ll dive deeply into encryption tools and techniques in Chapter 7, “Cybersecurity Technology.”

Data Loss Prevention
Data loss prevention (DLP) systems help organizations enforce information handling policies and procedures to prevent data loss and theft. They search systems for stores of sensitive information that might be unsecured and monitor network traffic for potential attempts to remove sensitive information from the organization. They can act quickly to block the transmission before damage is done and alert administrators to the attempted breach.
Data minimization techniques reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet our original business purpose.

Question 52

Data Obfuscation techniques

Answer 52

Hashing uses a hash function to transform a value in our dataset to a corresponding hash value. If we apply a strong hash function to a data element, we may replace the value in our file with the hashed value. Hashing uses a one-way function, meaning that it is not possible to retrieve the original value if you only have access to the hashed value.
Tokenization replaces sensitive values with a unique identifier using a lookup table. For example, we might replace a widely known value, such as a student ID, with a randomly generated 10-digit number. We’d then maintain a lookup table that allows us to convert those back to student IDs if we need to determine someone’s identity. Of course, if you use this approach, you must keep the lookup table secure!
Masking partially redacts sensitive information by replacing some or all sensitive fields with blank characters. For example, we might replace all but the last four digits of a credit card number with X’s or *’s to render the card number unreadable.

Question 53

Describe how information security strategies should be aligned with organizational goals and objectives.

Answer 53

As information security managers develop their plans, they should use reliable techniques to assess the current state of the program, such as threat research, SWOT analysis, and gap analysis. They may then identify the initiatives that will move the organization from the current state to its desired state.

Question 54

Describe how information security strategies should be aligned with organizational goals and objectives.

Answer 54

Describe how information security strategies should be aligned with organizational goals and objectives. As information security managers develop their plans, they should use reliable techniques to assess the current state of the program, such as threat research, SWOT analysis, and gap analysis. They may then identify the initiatives that will move the organization from the current state to its desired state.

Question 55

Explain how security strategies are influenced by internal and external factors.

Answer 55

Security strategies must be aligned with the business, but they must also incorporate other influences. Information security managers must remain abreast of emerging technologies, social media, the business environment, the organization’s risk tolerance, regulatory requirements, third-party considerations, and the threat landscape as they develop, monitor, and revise cybersecurity strategies.

Question 56

Know why stakeholder commitment and communication are essential to success.

Answer 56

As information security leaders roll out new strategies, they must ensure that they have the support of senior leaders and other stakeholders. They may do this by clearly outlining how information security supports the organization’s broader goals and objectives, identifying the business impact of security initiatives, and identifying clear success criteria.

Question 57

Explain how security controls may be categorized based on their mechanism of action and their intent.

Answer 57

Controls are grouped into the categories of managerial, operational, and technical based on the way that they achieve their objectives. They are divided into the types of preventive, detective, corrective, deterrent, compensating, and physical based on their intended purpose.

Question 58

Describe the diverse impacts of data breaches on organizations.

Answer 58

When an organization suffers a data breach, the resulting data loss often results in both direct and indirect damages. The organization suffers immediate financial repercussions due to the costs associated with the incident response, as well as long-term financial consequences due to reputational damage. This reputational damage may be difficult to quantify, but it may also have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information.

Question 59

Know how data loss prevention (DLP) systems block data exfiltration attempts.

Answer 59

DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.