Certified Information Security Manager v1.0

Page:    1 / 119   
Exam contains 1776 questions

A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

  • A. Enforce the existing security standard
  • B. Change the standard to permit the deployment
  • C. Perform a risk analysis to quantify the risk
  • D. Perform research to propose use of a better technology

Answer : C

Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.

Acceptable levels of information security risk should be determined by:

  • A. legal counsel.
  • B. security management.
  • C. external auditors.
  • D. die steering committee.

Answer : D

Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.

The PRIMARY goal in developing an information security strategy is to:

  • A. establish security metrics and performance monitoring.
  • B. educate business process owners regarding their duties.
  • C. ensure that legal and regulatory requirements are met
  • D. support the business objectives of the organization.

Answer : D

The business objectives of the organization supersede all other factors. Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.

Senior management commitment and support for information security can BEST be enhanced through:

  • A. a formal security policy sponsored by the chief executive officer (CEO).
  • B. regular security awareness training for employees.
  • C. periodic review of alignment with business management goals.
  • D. senior management signoff on the information security strategy.

Answer : C

Ensuring that security activities continue to be aligned and support business goals is critical to obtaining their support. Although having the chief executive officer (CEO) signoff on the security policy and senior management signoff on the security strategy makes for good visibility and demonstrates good tone at the top, it is a one-time discrete event that may be quickly forgotten by senior management. Security awareness training for employees will not have as much effect on senior management commitment.

When identifying legal and regulatory issues affecting information security, which of the following would represent the BEST approach to developing information security policies?

  • A. Create separate policies to address each regulation
  • B. Develop policies that meet all mandated requirements
  • C. Incorporate policy statements provided by regulators
  • D. Develop a compliance risk assessment

Answer : B

It will be much more efficient to craft all relevant requirements into policies than to create separate versions.
Using statements provided by regulators will not capture all of the requirements mandated by different regulators. A compliance risk assessment is an important tool to verify that procedures ensure compliance once the policies have been established.

Which of the following MOST commonly falls within the scope of an information security governance steering committee?

  • A. Interviewing candidates for information security specialist positions
  • B. Developing content for security awareness programs
  • C. Prioritizing information security initiatives
  • D. Approving access to critical financial systems

Answer : C

Prioritizing information security initiatives is the only appropriate item. The interviewing of specialists should be performed by the information security manager, while the developing of program content should be performed by the information security staff. Approving access to critical financial systems is the responsibility of individual system data owners.

Which of the following is the MOST important factor when designing information security architecture?

  • A. Technical platform interfaces
  • B. Scalability of the network
  • C. Development methodologies
  • D. Stakeholder requirements

Answer : D

The most important factor for information security is that it advances the interests of the business, as defined by stakeholder requirements. Interoperability and scalability, as well as development methodologies, are all important but are without merit if a technologically-elegant solution is achieved that does not meet the needs of the business.

Which of the following characteristics is MOST important when looking at prospective candidates for the role of chief information security officer (CISO)?

  • A. Knowledge of information technology platforms, networks and development methodologies
  • B. Ability to understand and map organizational needs to security technologies
  • C. Knowledge of the regulatory environment and project management techniques
  • D. Ability to manage a diverse group of individuals and resources across an organization

Answer : B

Information security will be properly aligned with the goals of the business only with the ability to understand and map organizational needs to enable security technologies. All of the other choices are important but secondary to meeting business security needs.

Which of the following are likely to be updated MOST frequently?

  • A. Procedures for hardening database servers
  • B. Standards for password length and complexity
  • C. Policies addressing information security governance
  • D. Standards for document retention and destruction

Answer : A

Policies and standards should generally be more static and less subject to frequent change. Procedures on the other hand, especially with regard to the hardening of operating systems, will be subject to constant change; as operating systems change and evolve, the procedures for hardening will have to keep pace.

Who should be responsible for enforcing access rights to application data?

  • A. Data owners
  • B. Business process owners
  • C. The security steering committee
  • D. Security administrators

Answer : D

As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.

The chief information security officer (CISO) should ideally have a direct reporting relationship to the:

  • A. head of internal audit.
  • B. chief operations officer (COO).
  • C. chief technology officer (CTO).
  • D. legal counsel.

Answer : B

The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security.

Which of the following is the MOST essential task for a chief information security officer (CISO) to perform?

  • A. Update platform-level security settings
  • B. Conduct disaster recovery test exercises
  • C. Approve access to critical financial systems
  • D. Develop an information security strategy paper

Answer : D

Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks.

Developing a successful business case for the acquisition of information security software products can BEST be assisted by:

  • A. assessing the frequency of incidents.
  • B. quantifying the cost of control failures.
  • C. calculating return on investment (ROI) projections.
  • D. comparing spending against similar organizations.

Answer : C

Calculating the return on investment (ROI) will most closely align security with the impact on the bottom line.
Frequency and cost of incidents are factors that go into determining the impact on the business but, by themselves, are insufficient. Comparing spending against similar organizations can be problematic since similar organizations may have different business goals and appetites for risk.

When an information security manager is developing a strategic plan for information security, the timeline for the plan should be:

  • A. aligned with the IT strategic plan.
  • B. based on the current rate of technological change.
  • C. three-to-five years for both hardware and software.
  • D. aligned with the business strategy.

Answer : D

Any planning for information security should be properly aligned with the needs of the business. Technology should not come before the needs of the business, nor should planning be done on an artificial timetable that ignores business needs.

Which of the following is the MOST important information to include in a strategic plan for information security?

  • A. Information security staffing requirements
  • B. Current state and desired future state
  • C. IT capital investment requirements
  • D. information security mission statement

Answer : B

It is most important to paint a vision for the future and then draw a road map from the stalling point to the desired future state. Staffing, capital investment and the mission all stem from this foundation.

Page:    1 / 119   
Exam contains 1776 questions

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.