CISM Exam Prep Questions an d
Answers
Information security governance is primarily driven by: - Business strategy
Who should drive the risk analysis for an organization? - the Security Manager
Who should be responsible for enforcing access rights to application data? - Security
administrators
The MOST important component of a privacy policy is: - notifications
Investment in security technology and processes should be based on: - clear alignment
with the goals and objectives of the organization
Define information security governance - 1. A set of policies and procedures that
establishes a framework of information security strategies
2. A practice area that ensures efficient utilization of information resources
The main purpose of information security governance - to ensure the safety of
information including its Confidentiality, Integrity and Availability. Information security
governance protects information from loss, misuse, unauthorized usage, and
destruction during its life cycle or the time it is being used in an organization.
Benefits of information security governance - - accountability for protecting information
during important business activities
- reduction of the impact of security incidents
- reduction in risks to tolerable limits
- protection from civil and legal liabilities
- enhancement of trust in customer relationships
- assurance of policy compliance
- protection of company reputation
In order to be effective, information security governance needs to provide 6 basic
outcomes: - - strategic alignment
- value delivery
- risk management
- performance measurement
- resource management
- integration
Should information security investments be optimized or minimized? - Optimized so that
they support business objectives.
, Primary goals of resource management: - - keeping a record of security practices and
processes
- acquiring knowledge and making it accessible
- building a security architecture that identifies and uses infrastructure resources
properly
What is Corporate Governance? - Corporate governance is a set of procedures and
duties performed by the board of directors and executive management to direct and
control the organization. Corporate governance helps the board of directors to
• ensure that business objectives are met
• provide strategic direction for business activities
• verify the efficient use of the organization's resources, and
ensure proper handling of business risks
Information Security Governance - While corporate governance deals with performance
and control at all levels of the organization, information security governance is a subset
of corporate governance. Information security governance is concerned with the policies
and controls related to protecting information in the organization. It helps you to
• ensure that information security objectives are achieved
• provide strategic direction for information security activities
• ensure the efficient use of information resources, and
manage information security risks
General components of the Information Security Governance Framework are: - -
security strategy
- security policies
- standards
- security organizational structure
- metrics and monitoring
Steering Committee - Consists of senior representatives of departments that are directly
or indirectly affected by information security policies. The steering committee aims to
involve all stakeholders influenced by security aspects.
Who is responsible for identifying information assets that need to be protected and
assigning appropriate priorities and protection levels for them? - The Board of Directors
Who is responsible for achieving organizational consent over priorities related to
information security and ensuring the involvement of all stakeholders influenced by
security considerations? - The Steering Committe
Who needs to establish reporting and communication channels in the whole
organization to make sure that information security governance is effective? - The CISO
Answers
Information security governance is primarily driven by: - Business strategy
Who should drive the risk analysis for an organization? - the Security Manager
Who should be responsible for enforcing access rights to application data? - Security
administrators
The MOST important component of a privacy policy is: - notifications
Investment in security technology and processes should be based on: - clear alignment
with the goals and objectives of the organization
Define information security governance - 1. A set of policies and procedures that
establishes a framework of information security strategies
2. A practice area that ensures efficient utilization of information resources
The main purpose of information security governance - to ensure the safety of
information including its Confidentiality, Integrity and Availability. Information security
governance protects information from loss, misuse, unauthorized usage, and
destruction during its life cycle or the time it is being used in an organization.
Benefits of information security governance - - accountability for protecting information
during important business activities
- reduction of the impact of security incidents
- reduction in risks to tolerable limits
- protection from civil and legal liabilities
- enhancement of trust in customer relationships
- assurance of policy compliance
- protection of company reputation
In order to be effective, information security governance needs to provide 6 basic
outcomes: - - strategic alignment
- value delivery
- risk management
- performance measurement
- resource management
- integration
Should information security investments be optimized or minimized? - Optimized so that
they support business objectives.
, Primary goals of resource management: - - keeping a record of security practices and
processes
- acquiring knowledge and making it accessible
- building a security architecture that identifies and uses infrastructure resources
properly
What is Corporate Governance? - Corporate governance is a set of procedures and
duties performed by the board of directors and executive management to direct and
control the organization. Corporate governance helps the board of directors to
• ensure that business objectives are met
• provide strategic direction for business activities
• verify the efficient use of the organization's resources, and
ensure proper handling of business risks
Information Security Governance - While corporate governance deals with performance
and control at all levels of the organization, information security governance is a subset
of corporate governance. Information security governance is concerned with the policies
and controls related to protecting information in the organization. It helps you to
• ensure that information security objectives are achieved
• provide strategic direction for information security activities
• ensure the efficient use of information resources, and
manage information security risks
General components of the Information Security Governance Framework are: - -
security strategy
- security policies
- standards
- security organizational structure
- metrics and monitoring
Steering Committee - Consists of senior representatives of departments that are directly
or indirectly affected by information security policies. The steering committee aims to
involve all stakeholders influenced by security aspects.
Who is responsible for identifying information assets that need to be protected and
assigning appropriate priorities and protection levels for them? - The Board of Directors
Who is responsible for achieving organizational consent over priorities related to
information security and ensuring the involvement of all stakeholders influenced by
security considerations? - The Steering Committe
Who needs to establish reporting and communication channels in the whole
organization to make sure that information security governance is effective? - The CISO
