CISM Information Security Governance 2
Practice Questions
1-1 A security strategy is important for an organization PRIMARILY because it provides:
A. a basis for determining the best logical security architecture for the organization.
B. management intent and direction for security activities.
C. provides users guidance on how to operate securely in everyday tasks.
D. helps IT auditors ensure compliance.
1-2 The MOST important reason to make sure there is good communication about security throughout the organization is:
A. to make security more palatable to resistant employees.
B. because people are the biggest security risk.
C. to inform business units about security strategy.
D. to conform to regulations requiring all employees are informed about security.
1-3 The regulatory environment for most organizations mandates a variety of security-related activities. It is MOST important that the information security manager:
A. rely on corporate counsel to advise which regulations are the most relevant.
B. stay current with all relevant regulations and request legal interpretation.
C. involve all impacted departments and treat regulations as just another risk.
D. ignore many of the regulations that have no teeth.
1-4 The MOST important consideration in developing security policies is that:
A. they are based on a threat profile.
B. they are complete and no detail is left out.
C. management signs off on them.
D. all employees read and understand them.
1-5 The PRIMARY security objective in creating good procedures is:
A. to make sure they work as intended.
B. that they are unambiguous and meet the standards.
C. that they be written in plain language and widely distributed.
D. that compliance can be monitored.
1-6 The assignment of roles and responsibilities will be MOST effective if:
A. there is senior management support.
B. the assignments are consistent with proficiencies.
C. roles are mapped to required competencies.
D. responsibilities are undertaken on a voluntary basis.
1-7 The PRIMARY benefit organizations derive from effective information security governance is:
A. ensuring appropriate regulatory compliance.
B. ensuring acceptable levels of disruptions.
C. prioritizing allocation of remedial resources.
D. maximizing return on security investments.
1-8 From an information security manager's perspective, the MOST important factors regarding data retention are:
A. business and regulatory requirements.
B. document integrity and destruction.
C. media availability and storage.
D. data confidentiality and encryption.
1-9 Which role is the BEST position to review and confirm the appropriateness of a user access list?
A. Data owner
B. Information security manager
C. Domain administrator
D. Business manager
1-10 In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy.
Answers to Practice Questions
1-1 B
A security strategy will define management intent and direction for a security program. It should also be a statement of how security aligns with and supports business objectives, and provides the basis for good security governance. (Refer to KS1.1 and KS1.4)
1-2 B
Communications are important to ensure continued awareness of security policies and procedures. Communications are an important monitoring tool for the security manager to be aware of potential security issues. Security failures are, in the majority of instances, directly attributable to lack of awareness or failure of employees to follow procedures. (Refer to KS1.19 and KS1.20)
1-3 C
While it can be useful to stay abreast of all current and emerging regulations, it can become a full-time job by itself. Departments such as human resources, finance and legal are mos often subject to new regulations and must, therefore, be involved in determining how best to meet the existing and emerging requirements and, typically, would be most aware of these regulations. Treating regulations as another risk puts hem in the proper perspective and the mechanisms to deal with them should already exist. The fact that there are so many regulations makes it unlikely that they can all be specifically addressed efficiently. Many do not currently have significant consequences and, in fact, may be addressed by compliance with other regulations. The most relevant response to regulatory requirements is to determine potential impact to the organization just as must be done with any other risks.
1-4 A
The basis for relevant security policies must be based on viable threats to the organization, prioritized by their potential impact on the business. The strictest policies apply to the ares of greatest risk. This ensures that proportionality is maintained and great effort is not expended on unlikely threats or threats with trivial impacts.
1-5 B
All of the answers are obviously important but the first criteria mus be to ensure that there is no ambiguity in the procedures and that, from a security perspective, they meet the applicable standards and, therefore, comply with policy. While it is important to make sure that procedurees work as intended, the fact that they do not may not be a security issue.
1-6 B
The level of effectiveness of employees will be determined by their existing knowledge and capabilities, in other words, their proficiencies. Senior management support is always important but not essential to effectiveness of employee activities. Mapping roles to the tasks that are required can be useful, but is no guarantee that people can perform the required tasks.
1-7 B
The bottom line of security efforts is to ensure business can continue with an acceptable level of disruption that does not unduly constrain revenue-producing activities. The other choices are useful, but subordinate outcomes as well.
1-8 A
Integrity, availability and confidentiality are key factors for information security; however, business and regulatory requirements are the driving factors for data retention.
1-9 A
The data owner is responsible for periodic reconfirmation of the access lists for systems he/she owns. The information security manager is in charge of the coordination of the user access list reviews but does not have any responsibility for data access. The domain administrator may technically provide the access, but he/she does not approve it. Choice D is incorrect because the business manager may not be the data owner.
1-10 A
The information security manager is responsible for developing a security strategy based on business objectives with help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.
Practice Questions
1-1 A security strategy is important for an organization PRIMARILY because it provides:
A. a basis for determining the best logical security architecture for the organization.
B. management intent and direction for security activities.
C. provides users guidance on how to operate securely in everyday tasks.
D. helps IT auditors ensure compliance.
1-2 The MOST important reason to make sure there is good communication about security throughout the organization is:
A. to make security more palatable to resistant employees.
B. because people are the biggest security risk.
C. to inform business units about security strategy.
D. to conform to regulations requiring all employees are informed about security.
1-3 The regulatory environment for most organizations mandates a variety of security-related activities. It is MOST important that the information security manager:
A. rely on corporate counsel to advise which regulations are the most relevant.
B. stay current with all relevant regulations and request legal interpretation.
C. involve all impacted departments and treat regulations as just another risk.
D. ignore many of the regulations that have no teeth.
1-4 The MOST important consideration in developing security policies is that:
A. they are based on a threat profile.
B. they are complete and no detail is left out.
C. management signs off on them.
D. all employees read and understand them.
1-5 The PRIMARY security objective in creating good procedures is:
A. to make sure they work as intended.
B. that they are unambiguous and meet the standards.
C. that they be written in plain language and widely distributed.
D. that compliance can be monitored.
1-6 The assignment of roles and responsibilities will be MOST effective if:
A. there is senior management support.
B. the assignments are consistent with proficiencies.
C. roles are mapped to required competencies.
D. responsibilities are undertaken on a voluntary basis.
1-7 The PRIMARY benefit organizations derive from effective information security governance is:
A. ensuring appropriate regulatory compliance.
B. ensuring acceptable levels of disruptions.
C. prioritizing allocation of remedial resources.
D. maximizing return on security investments.
1-8 From an information security manager's perspective, the MOST important factors regarding data retention are:
A. business and regulatory requirements.
B. document integrity and destruction.
C. media availability and storage.
D. data confidentiality and encryption.
1-9 Which role is the BEST position to review and confirm the appropriateness of a user access list?
A. Data owner
B. Information security manager
C. Domain administrator
D. Business manager
1-10 In implementing information security governance, the information security manager is PRIMARILY responsible for:
A. developing the security strategy.
B. reviewing the security strategy.
C. communicating the security strategy.
D. approving the security strategy.
Answers to Practice Questions
1-1 B
A security strategy will define management intent and direction for a security program. It should also be a statement of how security aligns with and supports business objectives, and provides the basis for good security governance. (Refer to KS1.1 and KS1.4)
1-2 B
Communications are important to ensure continued awareness of security policies and procedures. Communications are an important monitoring tool for the security manager to be aware of potential security issues. Security failures are, in the majority of instances, directly attributable to lack of awareness or failure of employees to follow procedures. (Refer to KS1.19 and KS1.20)
1-3 C
While it can be useful to stay abreast of all current and emerging regulations, it can become a full-time job by itself. Departments such as human resources, finance and legal are mos often subject to new regulations and must, therefore, be involved in determining how best to meet the existing and emerging requirements and, typically, would be most aware of these regulations. Treating regulations as another risk puts hem in the proper perspective and the mechanisms to deal with them should already exist. The fact that there are so many regulations makes it unlikely that they can all be specifically addressed efficiently. Many do not currently have significant consequences and, in fact, may be addressed by compliance with other regulations. The most relevant response to regulatory requirements is to determine potential impact to the organization just as must be done with any other risks.
1-4 A
The basis for relevant security policies must be based on viable threats to the organization, prioritized by their potential impact on the business. The strictest policies apply to the ares of greatest risk. This ensures that proportionality is maintained and great effort is not expended on unlikely threats or threats with trivial impacts.
1-5 B
All of the answers are obviously important but the first criteria mus be to ensure that there is no ambiguity in the procedures and that, from a security perspective, they meet the applicable standards and, therefore, comply with policy. While it is important to make sure that procedurees work as intended, the fact that they do not may not be a security issue.
1-6 B
The level of effectiveness of employees will be determined by their existing knowledge and capabilities, in other words, their proficiencies. Senior management support is always important but not essential to effectiveness of employee activities. Mapping roles to the tasks that are required can be useful, but is no guarantee that people can perform the required tasks.
1-7 B
The bottom line of security efforts is to ensure business can continue with an acceptable level of disruption that does not unduly constrain revenue-producing activities. The other choices are useful, but subordinate outcomes as well.
1-8 A
Integrity, availability and confidentiality are key factors for information security; however, business and regulatory requirements are the driving factors for data retention.
1-9 A
The data owner is responsible for periodic reconfirmation of the access lists for systems he/she owns. The information security manager is in charge of the coordination of the user access list reviews but does not have any responsibility for data access. The domain administrator may technically provide the access, but he/she does not approve it. Choice D is incorrect because the business manager may not be the data owner.
1-10 A
The information security manager is responsible for developing a security strategy based on business objectives with help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.
