ISACA CISM 2-15 Q uestion , Answers
and Explanations
Questions - Answers and Explanations
Decisions regarding information security are best supported by - effective metrics
effective metrics are essential to provide information needed to make decisions. Metrics
are quantifiable entity that allows the measurement of the achievement of a process
goal.
A project manager is developing a developer portal and request that the security
manager assign a public IP address so that it can be accessed by in house staff and by
external consultants outside the organization's local area network (LAN). What should
the security manager do first? - understand the business requirements of the portal
you cannot make an uninformed decision. Learn and understand the business
requirement first! Vulernability accessment and Intrustion detection systems (IDS) are
subsequent tasks
Which of the following should be understood before defining risk management
strategies? - organizational objectives and risk appetite Analyze the org's objectives and
risk appetite, then define a risk mgt framework based on the analysis; Some org's may
accept known risks;
Primary concern of an info security manager documenting a formal data retention policy
is - Business Requirements!
Best practices are useful, but not primary; Legislative or regulatory are only primary if
they are part of the business requirments
the maturity of an info security program is primarily the result of - An effective info
security strategy;
Strategy provides clear direction on how the organization will attain security outcomes
and directed by senior mgt;
Other note:
Assess and analyzing risk is required to develop a strategy; provide info needed to
develop it, but will not define the scope and charter of the security program;
Security architecture is a part of a larger security plan
Applicability statement is part of strategy implementation using ISO 27001 or 27002
after determining the scope & responsibilities of the program
which of the following best supports the principle of security proportionality? - Asset
Classification!
Classification provides the basis for protecting resources in relation to their importance
to the organization; More important assets get proportionally higher level of protection
and Explanations
Questions - Answers and Explanations
Decisions regarding information security are best supported by - effective metrics
effective metrics are essential to provide information needed to make decisions. Metrics
are quantifiable entity that allows the measurement of the achievement of a process
goal.
A project manager is developing a developer portal and request that the security
manager assign a public IP address so that it can be accessed by in house staff and by
external consultants outside the organization's local area network (LAN). What should
the security manager do first? - understand the business requirements of the portal
you cannot make an uninformed decision. Learn and understand the business
requirement first! Vulernability accessment and Intrustion detection systems (IDS) are
subsequent tasks
Which of the following should be understood before defining risk management
strategies? - organizational objectives and risk appetite Analyze the org's objectives and
risk appetite, then define a risk mgt framework based on the analysis; Some org's may
accept known risks;
Primary concern of an info security manager documenting a formal data retention policy
is - Business Requirements!
Best practices are useful, but not primary; Legislative or regulatory are only primary if
they are part of the business requirments
the maturity of an info security program is primarily the result of - An effective info
security strategy;
Strategy provides clear direction on how the organization will attain security outcomes
and directed by senior mgt;
Other note:
Assess and analyzing risk is required to develop a strategy; provide info needed to
develop it, but will not define the scope and charter of the security program;
Security architecture is a part of a larger security plan
Applicability statement is part of strategy implementation using ISO 27001 or 27002
after determining the scope & responsibilities of the program
which of the following best supports the principle of security proportionality? - Asset
Classification!
Classification provides the basis for protecting resources in relation to their importance
to the organization; More important assets get proportionally higher level of protection
