Set 1
Click anywhere on the flashcard to reveal the answer.
Define the “top-down approach” of governance.
In the top-down approach, policies, procedures, and goals are reviewed and approved by senior management and are hence directly aligned with the business objectives.
Senior management is considering either a top-down or a bottom-up approach to governance. As an information security manager, what should your recommendation be (i.e., top-down or bottom-up) for effective governance?
The effectiveness of governance is best ensured by a top-down approach. In a top-down approach, policies, procedures, and goals are reviewed and approved by senior management and are hence directly aligned with the business objectives. A bottom-up approach may not directly address management priorities.
Senior management is in the process of defining the information security strategy. What are the most important aspects, from a senior management perspective, of an information security strategy?
Business priorities, objectives, and goals
As an information security manager, you notice that a new regulation impacts your organization. Who should determine the control processes for any new regulatory requirements?
The affected department is in the best position to determine the impact of any new regulatory requirements on their processes and the best way to address them.
As an information security manager, you notice that a new regulation impacts your organization. What should your first steps be?
To determine the processes and activities that may be impacted and to assess whether existing controls already meet the regulations
As an information security manager, you notice that a new privacy law impacts your organization. What is the major focus of a privacy law?
To protect identifiable personal data
As an information security manager, you have been advised by your legal counterpart to define and document e-discovery processes. What is e-discovery?
E-discovery is the process of identifying, collecting, and submitting electronic records in a lawsuit or investigation.
A record retention period is primarily based on:
Business requirements and legal requirements (If both options are available, then preference should be given to business requirements as it is generally assumed that business requirements already include a consideration of any legal requirements.)
What is the primary reason for having documented roles and responsibilities for each employee?
Better accountability
Who has the ultimate responsibility for legal and regulatory requirements?
The board of directors and senior management
You have recently been appointed as an information security manager for your organization. What is the prime responsibility of an information security manager?
To manage risks to information assets
What is the major concern if database administrators (DBAs) have access to DBA-related logs?
The unauthorized modification of those logs by the DBAs
What is the role of the information owner regarding the data classification policy?
To determine the level of classification for any data under their purview
Who is responsible for complying with the organization’s security policies and standards?
All organizational units/every employee
What is the best way to determine the continuous improvement of the risk management process?
The adoption of a maturity model
What is the first step in developing an information security plan?
To evaluate and understand the business strategy
What is the main objective of designing an information security strategy?
To support the business objectives
What is value delivery in information security?
Value delivery means designing a process that gives the maximum benefit to the organization. It indicates a high utilization of the available resources for the benefit of the organization.
On what basis should intangible assets be valued?
On the ability of those assets to generate revenue
What is the first step in developing an information security management program?
To ascertain the need and justification for creating the program
What is the best method to increase the effectiveness of security training?
Customizing training as per the target audience
What are the main objectives behind implementing governance, risk, and compliance (GRC) procedures?
• To improve risk management processes by integrating various assurance-related activities
• To synchronize and align an organization’s assurance functions
What is the best way to gain support from senior management for security projects?
To explain to management the impact of security risks on key business objectives
What are the first steps in the development of a business case?
• To define issues to be addressed
• To define the need for the project
What are the essential elements of risk?
1. Probability (likelihood)
2. Impact (consequences)
CISM Exam Prep Guide 2nd Edition
By Hemang Doshi
Buy the book to unlock all practice questions, flashcards, and exam tips.
Buy It Here