CISM - Information Security Governance, Strategy, Objectives & Metrics Exam Questions & Answers (Grade A+).docx

CISM - Information Security
Governance, Strategy, Objectives &
Metrics Exam Questions & Answers
(Grade A+)
The FIRST step in developing an information security management
program is to:


identify business risk that affects the organization.
establish the need for creating the program.
assign responsibility for the program.
assess adequacy of existing controls. - correct answer ✅B is the
correct answer.


Justification
The task of identifying business risk that affects the organization is
assigned and acted on after establishing the need for creating the
program.


In developing an information security management program, the
first step is to establish the need for creating the program. This is a
business decision based more on judgment than on any specific
quantitative measures. The other choices are assigned and acted on
after establishing the need.

,CISM - Information Security
Governance, Strategy, Objectives &
Metrics Exam Questions & Answers
(Grade A+)
The task of assigning responsibility for the program is assigned and
acted on after establishing the need for creating the program.


The task of assessing the adequacy of existing controls is assigned
and acted on after establishing the need for creating the program.


Which of the following is characteristic of centralized information
security management?


More expensive to administer
Better adherence to policies
More aligned with business unit needs
Faster turnaround of requests - correct answer ✅B is the correct
answer.


Justification
Centralized information security management is generally less
expensive to administer due to the economies of scale.

,CISM - Information Security
Governance, Strategy, Objectives &
Metrics Exam Questions & Answers
(Grade A+)
Centralization of information security management results in
greater uniformity and better adherence to security policies.


With centralized information security management, information
security is typically less responsive to specific business unit needs.


With centralized information security management, turnaround can
be slower due to greater separation and more bureaucracy
between the information security department and end users.


Which of the following is characteristic of decentralized information
security management across a geographically dispersed
organization?


More uniformity in quality of service
Better adherence to policies
Better alignment to business unit needs
More savings in total operating costs - correct answer ✅C is the
correct answer.

, CISM - Information Security
Governance, Strategy, Objectives &
Metrics Exam Questions & Answers
(Grade A+)

Justification


Uniformity in quality of service tends to vary from unit to unit.


Adherence to policies is likely to vary considerably between various
business units.


Decentralization of information security management generally
results in better alignment to business unit needs because security
management is closer to the end user.


Decentralization of information security management is generally
more expensive to administer due to the lack of economies of
scale.


What will have the HIGHEST impact on standard information
security governance models?