CISM Exam (Brand New!!) Test Bank Questions And
Answers Verified 100% Correct Plus Rationales
|Already Graded A+
What are the core set of principles to guide implementation of effective information
security strategy - ANSWER- 1. Conduct annual information security evaluation
2. Periodic risk assessment
3. Implement policies and procedures based on risk assessment.
4. establish roles and responsibility, authority and accountability.
5. Provide information security to networks, facilities, systems and information.
6. incorporate as part of the system life cycle
7. Training
8. periodic testing and evaluation
9. incident management
10. development and testing of BCP
Information security program should be based PRIMARILY on desired outcome which
looks at the acceptable risk across the enterprise.
MOST important to develop a strategy before implementing an information security
program is because strategy is a plan to achieve an objective that serves to align and
integrate program activities to achieve the desired outcome
What is the role of the Steering Committee - ANSWER- Ensure the alignment of the
security program with the business objective. Which include all business areas, and
program should consider:
1. Strategy and integration efforts with business unit;
2. Business unit support
3. Identifying emerging risk, and compliance issues.
Senior management establishes the direction for the information security program
The existence of a steering committee that approves all security projects would be an
indication of the existence of a good governance program
What is compliance - ANSWER- is the process that records and monitors the policies,
procedures and controls needed to ensure that policies and standards are adequately
adhered to.
,What is GRC - ANSWER- Governance, Risk, and Compliance. Governance, risk and
compliance (GRC) is largely concerned with ensuring that processes in IT, finance and
legal are in compliance with regulatory requirements, that proper rules are in place and
that risk is appropriately addressed.
GRC is an effort to integrate assurance activities across an organization to achieve
greater efficiency and effectiveness.
GRC is the result of a growing recognition of the necessity to improve the integration of
these processes across the enterprise to counter the typical "silo effect," and increase
overall effectiveness and efficiency of these activities.
The overarching objective of governance, risk and compliance (GRC) is improved risk
management achieved by integrating these interrelated activities across the enterprise,
primarily focused on finance, legal and IT domains.
Criteria for the effective security metric - ANSWER- It has to be:
1. Meaningful - Understood by the recipient
2. Accurate - Reasonable degree of accuracy
3. Cost-Effective - reliable over time
4. Predictive - indicative of the outcomes
5. Actionable- clear of the actions to be taken
6. Genuine - what is actually measured.
Effective metrics are essential to provide information needed to make decisions. Metrics
are a quantifiable entity that allows the measurement of the achievement of a process
goal
Security metric measurement models - ANSWER- 1. VAR - value at risk [for a defined
period, with confidence level of 95 or better.
2. ROSI- Return on security investment [ return on investment based on reduction
of losses from security control]
3. ALE - Annual Loss Expectancy [provides the likely annualized loss based on
probable frequency and magnitude of security compromise]
"Desired State" - ANSWER- Is the complete snapshot of all relevant conditions at a
particular point in the future.
COBIT 5 principles - ANSWER- 5 key principles:
1. Meeting Shareholder needs
2. Covering the Enterprise End-to-end
* Functions and process- not only IT
* Enterprise and End-to-end
3. Applying a Single, Integrated Framework
, 4. Enabling a Holistic Approach with 7 categories of enablers:
> Principles, Policies and Frameworks
> Processes
> Organizational Structures
> Cultures, Ethics and Behaviors
> Information
> Services, Infrastructure and Applications.
> People, skills and Competencies.
5. Separating Governance from Management.
Cobit5 makes a clear distinction between governance and management. Management
plans, builds, runs and monitors activities in alignment with the direction set by the
governance body to achieve the enterprise objectives.
Capability Maturity Model - ANSWER- Replaced by Cobit5. It consist of grading each
defined area of security on a scale of 0 to 5.
0- non existence
1. ad hoc - risk is considered on a ad hoc basis
2. Repeatable but intuitive- Emerging understanding of risk and need for security
3. Defined process - Companywide risk management policy/ security awareness 4.
Managed and measurable - risk assessment standard procedure, roles and
responsibility assigned, policies and standards in place
5. Optimized. Organization wide processes implemented, monitored and managed.
Best measure of the effectiveness of the security strategy - ANSWER- The extent to
which the control objectives are met. information security strategy is to support business
objectives and activities and minimize disruptions
Vulnerability is defined - ANSWER- As a weakness in the design, implementation,
operation or internal control of a process that could expose the system to adverse
threats. It does not pose a risk
Exposure - ANSWER- is only important if there is a threat. It is defined as the potential
loss of an area due to the occurrence of an adverse event.
Threats - ANSWER- defined as anything that is capable of acting against an asset in a
manner that results in harm for which policies need to be develop.
Threat, vulnerability and exposure constitute the essential elements to determine risk.
Exposure (effectiveness) is the potential loss to an area due to the occurrence of an
adverse event.
What is the role of the Information Security Manager regarding data classification -
ANSWER- Defining/ ratifying the data classification structure and handling process.
Answers Verified 100% Correct Plus Rationales
|Already Graded A+
What are the core set of principles to guide implementation of effective information
security strategy - ANSWER- 1. Conduct annual information security evaluation
2. Periodic risk assessment
3. Implement policies and procedures based on risk assessment.
4. establish roles and responsibility, authority and accountability.
5. Provide information security to networks, facilities, systems and information.
6. incorporate as part of the system life cycle
7. Training
8. periodic testing and evaluation
9. incident management
10. development and testing of BCP
Information security program should be based PRIMARILY on desired outcome which
looks at the acceptable risk across the enterprise.
MOST important to develop a strategy before implementing an information security
program is because strategy is a plan to achieve an objective that serves to align and
integrate program activities to achieve the desired outcome
What is the role of the Steering Committee - ANSWER- Ensure the alignment of the
security program with the business objective. Which include all business areas, and
program should consider:
1. Strategy and integration efforts with business unit;
2. Business unit support
3. Identifying emerging risk, and compliance issues.
Senior management establishes the direction for the information security program
The existence of a steering committee that approves all security projects would be an
indication of the existence of a good governance program
What is compliance - ANSWER- is the process that records and monitors the policies,
procedures and controls needed to ensure that policies and standards are adequately
adhered to.
,What is GRC - ANSWER- Governance, Risk, and Compliance. Governance, risk and
compliance (GRC) is largely concerned with ensuring that processes in IT, finance and
legal are in compliance with regulatory requirements, that proper rules are in place and
that risk is appropriately addressed.
GRC is an effort to integrate assurance activities across an organization to achieve
greater efficiency and effectiveness.
GRC is the result of a growing recognition of the necessity to improve the integration of
these processes across the enterprise to counter the typical "silo effect," and increase
overall effectiveness and efficiency of these activities.
The overarching objective of governance, risk and compliance (GRC) is improved risk
management achieved by integrating these interrelated activities across the enterprise,
primarily focused on finance, legal and IT domains.
Criteria for the effective security metric - ANSWER- It has to be:
1. Meaningful - Understood by the recipient
2. Accurate - Reasonable degree of accuracy
3. Cost-Effective - reliable over time
4. Predictive - indicative of the outcomes
5. Actionable- clear of the actions to be taken
6. Genuine - what is actually measured.
Effective metrics are essential to provide information needed to make decisions. Metrics
are a quantifiable entity that allows the measurement of the achievement of a process
goal
Security metric measurement models - ANSWER- 1. VAR - value at risk [for a defined
period, with confidence level of 95 or better.
2. ROSI- Return on security investment [ return on investment based on reduction
of losses from security control]
3. ALE - Annual Loss Expectancy [provides the likely annualized loss based on
probable frequency and magnitude of security compromise]
"Desired State" - ANSWER- Is the complete snapshot of all relevant conditions at a
particular point in the future.
COBIT 5 principles - ANSWER- 5 key principles:
1. Meeting Shareholder needs
2. Covering the Enterprise End-to-end
* Functions and process- not only IT
* Enterprise and End-to-end
3. Applying a Single, Integrated Framework
, 4. Enabling a Holistic Approach with 7 categories of enablers:
> Principles, Policies and Frameworks
> Processes
> Organizational Structures
> Cultures, Ethics and Behaviors
> Information
> Services, Infrastructure and Applications.
> People, skills and Competencies.
5. Separating Governance from Management.
Cobit5 makes a clear distinction between governance and management. Management
plans, builds, runs and monitors activities in alignment with the direction set by the
governance body to achieve the enterprise objectives.
Capability Maturity Model - ANSWER- Replaced by Cobit5. It consist of grading each
defined area of security on a scale of 0 to 5.
0- non existence
1. ad hoc - risk is considered on a ad hoc basis
2. Repeatable but intuitive- Emerging understanding of risk and need for security
3. Defined process - Companywide risk management policy/ security awareness 4.
Managed and measurable - risk assessment standard procedure, roles and
responsibility assigned, policies and standards in place
5. Optimized. Organization wide processes implemented, monitored and managed.
Best measure of the effectiveness of the security strategy - ANSWER- The extent to
which the control objectives are met. information security strategy is to support business
objectives and activities and minimize disruptions
Vulnerability is defined - ANSWER- As a weakness in the design, implementation,
operation or internal control of a process that could expose the system to adverse
threats. It does not pose a risk
Exposure - ANSWER- is only important if there is a threat. It is defined as the potential
loss of an area due to the occurrence of an adverse event.
Threats - ANSWER- defined as anything that is capable of acting against an asset in a
manner that results in harm for which policies need to be develop.
Threat, vulnerability and exposure constitute the essential elements to determine risk.
Exposure (effectiveness) is the potential loss to an area due to the occurrence of an
adverse event.
What is the role of the Information Security Manager regarding data classification -
ANSWER- Defining/ ratifying the data classification structure and handling process.
