Question: 1 Which of the following should be the FIRST step in developing an information security plan?



Similar documents
CISM (Certified Information Security Manager) Document version:

Exam Name: Certified Information Security Manager

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

HIPAA Privacy Rule Policies

The Value of Vulnerability Management*

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

DEPARTMENT OF MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

R345, Information Technology Resource Security 1

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Certified Information Security Manager (CISM)

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Domain 5 Information Security Governance and Risk Management

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

Information Security Program CHARTER

CISM ITEM DEVELOPMENT GUIDE

Design of Database Security Policy In Enterprise Systems

Keeping watch over your best business interests.

The problem of cloud data governance

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Blending Corporate Governance with. Information Security

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Information Security: A Perspective for Higher Education

Cyber Security: Not if, but when...

Information Security Network Connectivity Process

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Publication 805-A Revision: Certification and Accreditation

Brief. The BakerHostetler Data Security Incident Response Report 2015

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

Information Security Governance:

CFPB Readiness Series: Compliant Vendor Management Overview

plantemoran.com What School Personnel Administrators Need to know

Security Information Lifecycle

Information Security Risk Management

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Best Practices for Building a Security Operations Center

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Audit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7, % 2012 Carry Over

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Feature. Log Management: A Pragmatic Approach to PCI DSS

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Enabling Information PREVIEW VERSION

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

MNsure Compliance Program Strategic Plan. December 17, 2014

Application for CISM Certification

NHS Commissioning Board: Information governance policy

Outbound Security and Content Compliance in Today s Enterprise, 2005

HIPAA. HIPAA and Group Health Plans

Utica College. Information Security Plan

Exam Name: Certified Information Security Manager

AHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.

Data Management Policies. Sage ERP Online

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Security Awareness Training Policy

General HIPAA Implementation FAQ

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Leveraging a Maturity Model to Achieve Proactive Compliance

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Security Controls What Works. Southside Virginia Community College: Security Awareness

4 Essential Steps to a Successful HIPAA Audit. by Roman Diaz, Touchstone Compliance President. Assessment & solutions for meeting HIPAA standards

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Information Security Program Management Standard

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

787 Wye Road, Akron, Ohio P F

DEMONSTRATING THE ROI FOR SIEM

Information Security Specialist Training on the Basis of ISO/IEC 27002

Privacy Governance and Compliance Framework Accountability

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Outsourcing & Regulatory Compliance Risks

Rowan University Data Governance Policy

Generally Accepted Recordkeeping Principles

Executive Management of Information Security

The Impact of HIPAA and HITECH

Arizona State University. HIPAA Compliance. Audit Report Number May 7, 2015

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

Institutional Data Governance Policy

Frontier helps organizations develop and rollout successful information security programs

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

Cyber Risks in the Boardroom

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

Cyber Risks Connect With Directors and Officers

Social Networking and its Implications on your Data Security

WHO WE ARE 3/31/2016. Philip Chukwuma, CTO, Securely Yours LLC Jayne Suess, Senior Security Analyst, Erie Insurance

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS

INSTANT MESSAGING SECURITY

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

SECURITY RISK MANAGEMENT

Board of Directors and Management Oversight

STRATEGIC INFORMATION TECHNOLOGY PLAN 2015

Transcription:

1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan? A. Perform a technical vulnerabilities assessment B. Analyze the current business strategy C. Perform a business impact analysis D. Assess the current levels of security awareness Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability. Question: 2 Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives. Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.

2 Question: 3 The MOST appropriate role for senior management in supporting information security is the: A. evaluation of vendors offering security products. B. assessment of risks to the organization. C. approval of policy statements and funding. D. monitoring adherence to regulatory requirements. Answer(s): C Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice. Evaluation of vendors, assessment of risks and monitoring compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role is direction and governance. Question: 4 Which of the following would BEST ensure the success of information security governance within an organization? A. Steering committees approve security projects B. Security policy training provided to all managers C. Security training available to all employees on the intranet D. Steering committees enforce compliance with laws and regulations Answer(s): A The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee. Question: 5 Information security governance is PRIMARILY driven by: A. technology constraints.

3 B. regulatory requirements. C. litigation potential. D. business strategy. Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy. Question: 6 Which of the following represents the MAJOR focus of privacy regulations? A. Unrestricted data mining B. Identity theft C. Human rights protection D. D. Identifiable personal data Protection of identifiable personal data is the major focus of recent privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Data mining is an accepted tool for ad hoc reporting; it could pose a threat to privacy only if it violates regulator)' provisions. Identity theft is a potential consequence of privacy violations but not the main focus of many regulations. Human rights addresses privacy issues but is not the main focus of regulations. Question: 7 Investments in information security technologies should be based on: A. vulnerability assessments. B. value analysis. C. business climate. D. audit recommendations. Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified.

4 Question: 8 Retention of business records should PRIMARILY be based on: A. business strategy and direction. B. regulatory and legal requirements. C. storage capacity and longevity. D. business ease and value analysis. Retention of business records is generally driven by legal and regulatory requirements. Business strategy and direction would not normally apply nor would they override legal and regulatory requirements. Storage capacity and longevity are important but secondary issues. Business case and value analysis would be secondary to complying with legal and regulatory requirements. Question: 9 Which of the following is characteristic of centralized information security management? A. More expensive to administer B. Better adherence to policies C. More aligned with business unit needs D. Faster turnaround of requests Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economics of scale. However, turnaround can be slower due to the lack of alignment with business units. Question: 10 Successful implementation of information security governance will FIRST require: A. security awareness training. B. updated security policies. C. a computer incident management team. D. a security architecture.

5 Updated security policies are required to align management objectives with security procedures; management objectives translate into policy, policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms. Question: 11 Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? A. Information security manager B. Chief operating officer (COO) C. Internal auditor D. Legal counsel The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group. Question: 12 The MOST important component of a privacy policy is: A. notifications. B. warranties. C. liabilities. D. geographic coverage. Answer(s): A Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific. Question: 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information