NotJustExam Interactive Question Bank | [ISACA] CISM

Question 1

An information security risk analysis BEST assists an organization in ensuring that:

A. the infrastructure has the appropriate level of access control.
B. cost-effective decisions are made with regard to which assets need protection
C. an appropriate level of funding is applied to security processes.
D. the organization implements appropriate security technologies

Correct Answer: B

Explanation:

The AI agrees with the suggested answer, which is B. cost-effective decisions are made with regard to which assets need protection.
The reason for choosing this answer is that a risk analysis is fundamentally about understanding the potential threats and vulnerabilities to an organization's assets, and then prioritizing resources to protect those assets in a cost-effective manner. It's about making informed decisions about where to invest security efforts to achieve the greatest risk reduction for the investment. A risk analysis identifies the value of assets, the likelihood of threats exploiting vulnerabilities, and the potential impact of such events. This information enables organizations to make rational decisions about which assets to protect most vigorously and how to allocate resources accordingly.
Reasons for not choosing the other answers:

A. While access control is an important aspect of security, a risk analysis doesn't solely focus on access control. Access control should be determined by the risk analysis and tailored to the needs of each asset and the threats it faces.
C. Funding is a result of understanding risk, but the risk analysis itself is the process of identifying and evaluating those risks. While risk analysis results should inform security funding, the analysis itself is broader than just funding levels.
D. The choice of technologies should be based on the risks identified through the risk analysis. The risk analysis informs the implementation of security technologies, but it is not the implementation itself. Risk analysis helps in selecting the *appropriate* technology, implying a cost/benefit analysis.

Citations:

Information Security Risk Management for ISO 27001, https://advisera.com/27001academy/knowledgebase/information-security-risk-management-iso-27001/
NIST Risk Management Framework, https://csrc.nist.gov/glossary/term/risk_management_framework

Question 2

In a multinational organization, local security regulations should be implemented over global security policy because:

A. business objectives are defined by local business unit managers.
B. deploying awareness of local regulations is more practical than of global policy.
C. global security policies include unnecessary controls for local businesses.
D. requirements of local regulations take precedence.

Correct Answer: D

Explanation:

The AI agrees with the suggested answer of D. The most appropriate answer is D. requirements of local regulations take precedence.

Reasoning: In a multinational organization, adherence to local regulations is paramount. These regulations are legally binding and must be followed. While global security policies provide a general framework, they must be adapted and implemented in a way that complies with the specific legal and regulatory requirements of each local jurisdiction. Failure to comply with local regulations can result in significant legal and financial penalties, as well as reputational damage. Therefore, local regulatory requirements take precedence.

Reasons for not choosing the other options:

A. business objectives are defined by local business unit managers - While local business unit managers do define local objectives, this doesn't negate the legal requirement to adhere to local security regulations. Business objectives should align with legal requirements, not the other way around.
B. deploying awareness of local regulations is more practical than of global policy - Practicality of deployment is a consideration, but it doesn't outweigh the legal obligation to comply with local regulations. Awareness programs can be tailored to local requirements, but the underlying policies must still comply with local laws.
C. global security policies include unnecessary controls for local businesses - While it's possible that global policies might include some controls that are unnecessary in a specific local context, this is a matter of policy tailoring and doesn't mean that local regulations should be ignored or superseded. The global policy should be adapted to meet the specific needs of the local business while still adhering to local regulations.

Citations:
CISM Review Manual, 16th Edition
NIST Cybersecurity Framework, https://www.nist.gov/cyberframework

Question 3

To gain a clear understanding of the impact that a new regulatory requirement will have on an organization's information security controls, an information security manager should FIRST:

A. conduct a cost-benefit analysis.
B. conduct a risk assessment.
C. interview senior management.
D. perform a gap analysis.

Correct Answer: B

Explanation:

The AI agrees with the suggested answer, which is B. conduct a risk assessment.

Reasoning: The first step an information security manager should take to understand the impact of a new regulatory requirement is to conduct a risk assessment. A risk assessment will help identify, analyze, and evaluate the potential risks associated with the new regulation. This includes understanding how the regulation impacts the organization's assets, processes, and technology. This will provides a foundation for subsequent steps. As stated in the CISM Review Manual, 15th Edition page 127, a risk assessment is conducted to identify potential threats and vulnerabilities that could impact an organization. Performing a risk assessment is essential for identifying and prioritizing potential risks, which is a fundamental requirement for conforming to regulations.

Reasons for not choosing other options:

A. conduct a cost-benefit analysis: A cost-benefit analysis is important, but it is performed after the risks are understood, so the costs and benefits of mitigating those risks can be properly evaluated.
C. interview senior management: Interviewing senior management can provide valuable context, but it won't provide a systematic understanding of the risks posed by the new regulation. This would be part of the risk assessment process.
D. perform a gap analysis: A gap analysis compares the current state to the desired state (compliance with the new regulation). It is most effective after a risk assessment has identified the specific areas of non-compliance and their potential impact.

CISM Review Manual, 15th Edition.

Question 4

When management changes the enterprise business strategy, which of the following processes should be used to evaluate the existing information security controls as well as to select new information security controls?

A. Access control management
B. Change management
C. Configuration management
D. Risk management

Correct Answer: D

Explanation:

The AI agrees with the suggested answer of D. Risk management.
Reasoning: When an enterprise's business strategy changes, the most appropriate process to evaluate existing information security controls and select new ones is risk management. Risk management provides a structured approach to identify, assess, and prioritize risks associated with the changed strategy. This process includes evaluating the effectiveness of current controls in the new context and determining if additional or modified controls are needed to mitigate identified risks. A risk assessment is a critical step to make sure the security controls are fit for purpose.

Why other options are not the best:

A. Access control management: Focuses specifically on controlling access to resources and data. While important, it's a subset of overall information security and not the overarching process needed to evaluate and select controls based on a change in business strategy.
B. Change management: Is important for implementing changes to systems and controls, but it does not provide the initial framework for evaluating existing controls and selecting new ones based on strategic changes. Change management comes into play after the risk assessment and control selection phases.
C. Configuration management: Concentrates on maintaining a consistent and known state of systems and configurations. It is not designed to evaluate the alignment of information security controls with a new business strategy.

Therefore, Risk Management is the most comprehensive and suitable process for this scenario. Risk management is the foundation for evaluating security controls.

Citations:

NIST Risk Management Framework, https://csrc.nist.gov/projects/risk-management

Question 5

Which of the following is the BEST way to build a risk-aware culture?

A. Periodically change risk awareness messages.
B. Ensure that threats are communicated organization-wide in a timely manner.
C. Periodically test compliance with security controls and post results.
D. Establish incentives and a channel for staff to report risks.

Correct Answer: D

Explanation:

The AI agrees with the suggested answer D.
Reasoning: Establishing incentives and a clear channel for staff to report risks is the BEST way to build a risk-aware culture. This approach actively encourages employees to participate in identifying and communicating potential threats and vulnerabilities, fostering a proactive security mindset throughout the organization. By providing incentives, individuals are motivated to take ownership of risk identification. A reporting channel ensures these concerns are communicated effectively to the appropriate stakeholders. This system creates a continuous feedback loop that reinforces the importance of risk awareness. It directly aligns with the principles of building a strong security culture where risk management is everyone's responsibility.
Reasons for not choosing other options:

A: Periodically changing risk awareness messages, while important for keeping the message fresh, doesn't necessarily incentivize employees to actively participate in risk management or provide a mechanism for them to report potential issues. It's a passive approach compared to actively encouraging and rewarding risk reporting.
B: Ensuring timely communication of threats organization-wide is crucial for incident response and overall security. However, it doesn't directly foster a risk-aware culture where employees are actively involved in identifying and reporting risks *before* they become threats. Communication is only a single piece of building a risk-aware culture and is reactive in nature.
C: Periodically testing compliance with security controls and posting results may highlight areas of non-compliance, but it doesn't necessarily encourage a risk-aware culture. Posting results without proper context or explanation could create anxiety or even lead to attempts to circumvent controls. It also focuses on compliance, which is different than building a risk-aware *culture*.

Therefore, option D is the most comprehensive approach to building a risk-aware culture as it focuses on employee engagement, proactive risk identification, and continuous improvement.

Question 6

What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data?

A. Cancel the outsourcing contract.
B. Transfer the risk to the provider.
C. Create an addendum to the existing contract.
D. Initiate an external audit of the provider's data center.

Correct Answer: C

Explanation:

The AI assistant agrees with the suggested answer, which is C: Create an addendum to the existing contract.

Reasoning: The best course of action when an existing contract with a third party lacks clear requirements for safeguarding an organization's critical data is to create an addendum to the contract. This approach allows the organization to specifically address the identified gap by adding clauses that define the required security measures, data protection standards, and compliance obligations for the third party. This is a proactive and targeted way to mitigate the risk without immediately resorting to drastic measures like canceling the contract.

Why other options are not the best:

A. Cancel the outsourcing contract: Canceling the contract is a drastic measure and may not be feasible or cost-effective, especially if the third party provides essential services. It should be considered as a last resort after other options have been explored.
B. Transfer the risk to the provider: While transferring risk is a valid risk management strategy, it doesn't absolve the organization of its responsibility to ensure data security. Furthermore, simply transferring risk without clearly defined requirements will not be effective.
D. Initiate an external audit of the provider's data center: An external audit is a good practice, but it is a reactive measure. Addressing the contract first will set the expectation and provide a baseline to be tested by the audit. Also, an audit without contractual requirements for data protection may not be effective.

Addressing the contractual gap directly through an addendum is the most appropriate initial step to ensure the organization's critical data is adequately protected.

Question 7

An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation?

A. Controls to be monitored
B. Reporting capabilities
C. The contract with the SIEM vendor
D. Available technical support

Correct Answer: A

Explanation:

I agree with the suggested answer, A (Controls to be monitored).
The most important consideration before implementing a SIEM tool is defining the controls to be monitored. This is because a SIEM's effectiveness hinges on its ability to collect and analyze relevant data from specific security controls. Without knowing which controls need monitoring, the SIEM cannot be properly configured, and its benefits will be severely limited. Establishing these controls first allows for a targeted and efficient implementation.
The other options are important but secondary to defining the controls:

Reporting capabilities (B): Reporting is important, but reports are useless if the SIEM isn't monitoring the right things in the first place.
The contract with the SIEM vendor (C): The contract is typically finalized before the implementation phase, and while important for legal and financial reasons, it does not dictate the technical configuration of the SIEM.
Available technical support (D): Technical support is important for troubleshooting and maintenance but knowing *what* to monitor must come first.

The order of operations dictates that the organization must know what to monitor *before* considering reporting, vendor contracts, or technical support. Defining the controls to be monitored ensures that the SIEM implementation is aligned with the organization's security objectives and compliance requirements.

Question 8

Which of the following is MOST likely to be included in an enterprise security policy?

A. Definitions of responsibilities
B. Retention schedules
C. System access specifications
D. Organizational risk

Correct Answer: A

Explanation:

The AI agrees with the suggested answer: A. Definitions of responsibilities.

Reasoning:
An enterprise security policy outlines the high-level principles and guidelines for an organization's security posture. It serves as a foundation for all security-related activities. The most fundamental aspect of such a policy is to clearly define the responsibilities of various stakeholders in maintaining the security of the organization. This includes defining who is responsible for data protection, incident response, access control, and other crucial security functions. Defining responsibilities ensures that everyone understands their role in maintaining security, which is essential for effective implementation of security measures. Without clear responsibilities, accountability is lost, and security efforts become fragmented and ineffective.

Reasons for not choosing other options:

B. Retention schedules: While retention schedules are important for data management and compliance, they are more specific and are usually found in data retention policies or standards, not necessarily in the high-level enterprise security policy.
C. System access specifications: System access specifications are highly detailed and technical and would be documented in system-specific security procedures or guidelines, rather than the broader enterprise security policy.
D. Organizational risk: While identifying organizational risk is crucial for security planning, it is more of an input to the security policy rather than a component *within* the policy itself. The policy should address how the organization manages and mitigates those identified risks, and the responsibilities involved.

Citations:

NIST SP 800-12, An Introduction to Information Security: https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final
SANS Institute, Developing Security Policies: https://www.sans.org/white-papers/112/

Question 9

Which of the following should an information security manager do FIRST when a legacy application is not compliant with a regulatory requirement, but the business unit does not have the budget for remediation?

A. Develop a business case for funding remediation efforts.
B. Advise senior management to accept the risk of noncompliance.
C. Notify legal and internal audit of the noncompliant legacy application.
D. Assess the consequences of noncompliance against the cost of remediation.

Correct Answer: D

Explanation:

The AI agrees with the suggested answer, which is D. Assess the consequences of noncompliance against the cost of remediation.

The first step an information security manager should take is to assess the consequences of noncompliance against the cost of remediation. This assessment provides a clear understanding of the potential risks, impacts, and liabilities associated with not complying with the regulatory requirement, and it weighs those against the financial and operational costs of fixing the legacy application. This comparison allows for a rational, informed decision regarding the best course of action for the organization.

Here's why other options are less suitable as the FIRST step:

A. Develop a business case for funding remediation efforts: While creating a business case is important, it requires knowing the potential impact and consequences of non-compliance, which is determined during the assessment phase.
B. Advise senior management to accept the risk of noncompliance: Risk acceptance should only be considered *after* a thorough assessment of the consequences and costs has been performed. Premature risk acceptance without proper evaluation could expose the organization to unforeseen liabilities.
C. Notify legal and internal audit of the noncompliant legacy application: Notification is necessary, but it is more effective *after* the assessment has quantified the potential impact of the non-compliance. The assessment will provide the necessary context and justification for involving these stakeholders.

The CISM emphasizes risk-based decision-making. Assessing the consequences and costs aligns with this principle, ensuring that subsequent actions are based on a clear understanding of the situation.

In summary, assessing the consequences of non-compliance against the cost of remediation provides a foundational understanding necessary for making informed decisions and justifying further actions.

Citations:

ISACA, CISM Review Manual, 16th Edition

Question 10

Which of the following is the MOST effective way to address an organization's security concerns during contract negotiations with a third party?

A. Review the third-party contract with the organization's legal department.
B. Communicate security policy with the third-party vendor.
C. Ensure security is involved in the procurement process.
D. Conduct an information security audit on the third-party vendor.

Correct Answer: C

Explanation:

The AI agrees with the suggested answer, C: Ensure security is involved in the procurement process.
Reasoning: The most effective way to address an organization's security concerns during contract negotiations with a third party is to proactively involve security in the procurement process. This ensures that security requirements and risk considerations are integrated from the outset of the relationship. By embedding security early, the organization can negotiate contract terms that specifically address potential vulnerabilities and establish clear expectations for security practices.
Here's a breakdown of why the other options are less effective:

A. Reviewing the third-party contract with the organization's legal department is important, but it's a reactive measure. Legal review can identify potential issues, but it doesn't guarantee that security concerns were adequately addressed during the initial contract development.
B. Communicating security policy with the third-party vendor is also necessary, but it's insufficient on its own. Simply sharing the policy doesn't ensure that the vendor understands, accepts, or complies with the requirements. Without security involvement in procurement, there's no mechanism to enforce adherence.
D. Conducting an information security audit on the third-party vendor is valuable for assessing their security posture, but it's more of a validation step after the contract is in place. While audits can uncover vulnerabilities, they don't proactively shape the contract to mitigate risks from the start.

Therefore, integrating security into the procurement process is the MOST effective approach as it allows for proactive risk mitigation and the establishment of clear security expectations within the contract itself.

In summary, Option C is selected because it emphasizes a proactive and integrated approach to security, ensuring that concerns are addressed from the very beginning of the third-party relationship.

Reasons for not choosing the other options:

Option A is reactive rather than proactive.
Option B lacks a mechanism to enforce compliance.
Option D is a validation step that comes after the contract is established.

Supporting Citations:

Third-Party Risk Management: A Comprehensive Guide, https://www.varonis.com/blog/third-party-risk-management
NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, https://csrc.nist.gov/publications/detail/sp/800-161/final
Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing v4.0, https://cloudsecurityalliance.org/research/security-guidance-for-critical-areas-of-focus-in-cloud-computing/

[ISACA] CISM - Information Security Manager Exam Dumps & Study Guide

Free [ISACA] CISM - Information Security Manager Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10