CISM Domain 1 Answers Set-2: INFORMATION SECURITY GOVERNANCE

11)     What is the purpose of security governance in an organization?

Correct Answer: b) To align the organization's security program with the needs of the business.

Explanation: Security governance ensures that the organization's security program is strategically aligned with the business requirements, ensuring that information security supports the overall goals and objectives of the organization.


12)     How are priorities in the security program determined?

Correct Answer: d) Priorities should flow directly from the organization's mission, objectives, and goals.

Explanation: The priorities in the security program should be derived from the overall mission, objectives, and goals of the organization. What is important to the organization as a whole should also be important to information security.

 

13)     What are standards in the context of security governance?

Correct Answer: d) Standards help to drive a consistent and secure approach to solving business challenges.

Explanation: Standards refer to the technologies, protocols, and practices used by IT, which should align with the organization's needs. They enable a consistent and secure approach to addressing business challenges while meeting the organization's requirements in a cost-effective manner.

 

14)     What are controls in the context of security governance?

Correct Answer: d) Controls are formal descriptions of critical activities to ensure desired outcomes.

Explanation: Controls in security governance refer to formal descriptions of critical activities that are implemented to ensure that desired outcomes are achieved. They provide a structured approach to managing and mitigating security risks.

 

15)     How should security governance be practiced in an organization?

Correct Answer: d) Security governance should be practiced in a manner similar to IT governance and corporate governance.

Explanation: It is recommended that security governance follows similar processes and practices as those used for IT governance and corporate governance within the organization. This ensures consistency and integration of security initiatives into the overall governance framework.

 

16)     What is the purpose of risk assessments in an effective security governance program?

Correct Answer: c) To identify risks in information systems and supported processes.

Explanation: Risk assessments are performed to identify risks in information systems and supported processes. This helps management understand the potential vulnerabilities and take appropriate actions to reduce the risk of system failure and compromise.

 

17)     What is the purpose of incident response procedures in security governance?

Correct Answer: d) To improve response to incidents and minimize their impact on the organization.

Explanation: Incident response procedures are put into place to help avoid incidents, reduce their impact and probability, and improve the organization's response to incidents. The goal is to minimize the impact of incidents on the organization.

 

18)     What is the purpose of metrics in security governance?

Correct Answer: b) To measure key security events such as policy changes and violations.

Explanation: Metrics in security governance are established to measure key security events, such as incidents, policy changes and violations, audits, and training. These measurements help management understand the effectiveness of security measures and identify areas for improvement.

 

19)     What is the purpose of resource management in security governance?

Correct Answer: b) To allocate manpower, budget, and other resources to meet security objectives.

 Explanation: Resource management in security governance involves monitoring the allocation of manpower, budget, and other resources to meet security objectives. It ensures that sufficient resources are available to implement and maintain effective security measures.

 

20)  How are scripted interactions among key business and IT executives used in security governance?

 

Correct Answer: d) To discuss the impact of regulatory changes, alignment with business objectives, and recent audits.

 Explanation: Scripted interactions among key business and IT executives in security governance meetings are used to discuss various topics such as the impact of regulatory changes, alignment with business objectives, effectiveness of measurements, recent incidents, recent audits, and risk assessments. It provides a platform for important discussions related to security and governance matters.

Comments

Post a Comment

Popular posts from this blog

CISM Domain 1 Questions Set-1: INFORMATION SECURITY GOVERNANCE

1. Which processes are typically included in information security governance? a) Personnel management, sourcing, and change management b) Configuration management, access management, and business continuity planning c) Risk management, vulnerability management, and incident management d) All of the above 2. What is a key component of information security governance? a) Continuous improvement of security processes b) Effective organization structure and role definition c) Balanced scorecard and metrics monitoring d) All of the above 3. Why do organizations that lack information security face a business problem? a)  Poor business continuity planning b) Inadequate technology solutions c) Insufficient personnel management d) Lack of understanding and commitment by senior executives 4. What is the main challenge faced by organizations in managing information security at the boardroom level? a) Lack of awareness or cybersecurity savviness b) Inadequ...
Read more

CISM Domain 1 Questions Set-3: INFORMATION SECURITY GOVERNANCE

21) Who is typically responsible for making risk treatment decisions in a properly functioning risk          management program?       a) Chief Information Security Officer (CISO)      b) Chief Executive Officer (CEO)      c) Chief Financial Officer (CFO)      d) Chief Operating Officer (COO) 22) Do organizations usually have a uniform risk tolerance level across different business          functions and security aspects?      a) Yes, organizations have a uniform risk tolerance level.      b) No, organizations have varying risk tolerance levels.      c) Risk tolerance is determined solely by the CISO.      d) Risk tolerance is determined solely by the CEO. 23) What is risk appetite defined as by ISACA?      a) The level of risk that an organization can tolerate without its continued existence being c...
Read more