Information Security Management Responsibilities Quiz

Questions and Answers

What action did the bad actor take after being exposed to encrypted data transferred to the server?

Deleted the FTP directory

What could have been prevented by conducting regular incident response testing?

Ignored alert messages

What was the method used by the bad actor to break into the business-critical FTP server?

Brute forcing an administrative password

What consequence did the bad actor's actions have on legitimate customers?

Incoming FTP attempts failed

What is the PRIMARY step for an organizational response to a security incident if civil litigation is a goal?

Document the chain of custody

What is the MOST effective in monitoring an organization's existing risk?

Risk management dashboards

What is the BEST way to reduce the impact of a successful ransomware attack?

Perform frequent backups and store them offline

Which of the following BEST facilitates an information security manager's efforts to obtain senior management commitment for an information security program?

Presenting compliance requirements

Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process?

To ensure the stakeholders providing input own the related risk

Which of the following would BEST enable the timely execution of an incident response plan?

Definition of trigger events

Which of the following change management procedures is MOST likely to cause concern to the information security manager?

The development manager migrates programs into production

What is the GREATEST benefit of conducting an organization-wide security awareness program?

Security behavior is improved

Which of the following documents should contain the INITIAL prioritization of recovery of services?

Business impact analysis (BIA)

What is the first step in creating a disaster recovery plan (DRP)?

Conducting a business impact analysis (BIA)

What is the subsequent step involving assigning roles and responsibilities for executing the DRP?

Identifying response and recovery teams

What is the primary responsibility of an information security manager implementing company-owned mobile devices?

Review and update existing security policies

What has the greatest influence on an organization's information security strategy?

Risk tolerance

What do security policies define?

Goals, objectives, and requirements for protecting information and systems

What is the most effective way to present quarterly reports to the board on the status of the information security program?

An information security dashboard

What should the information security manager address in security policies?

Scope, acceptable use, security standards, roles and responsibilities

How does an anomaly-based intrusion detection system (IDS) operate?

By gathering data on normal network behavior and using it as a baseline for measuring abnormal activity

How is the effectiveness of an organization's information security program best measured?

Return on information security investment

What justifies continued investment in an information security program?

Reduction in residual risk

What is most helpful in protecting an enterprise from advanced persistent threats (APTs)?

Defined security standards

What is not the first step to establishing an effective information security program?

Compliance review

What should drive the information security manager's decision when choosing controls to mitigate risk?

Regulatory requirements

What determines how much risk an organization is willing to accept and the resources allocated to mitigate or transfer risk?

Risk tolerance

What is the first step an information security manager should take when creating an organization's disaster recovery plan (DRP)?

Conduct a business impact analysis (BIA)

What is a subsequent step involving selecting and implementing appropriate solutions and procedures for restoring critical business functions?

Developing response and recovery strategies

What is the best determinant of resource allocation during a security incident response?

Defined levels of severity

What is not the most effective way to present quarterly reports to the board on the status of the information security program?

Anomaly-based intrusion detection system (IDS)

What are possible actions or controls derived from updated security policies?

Requiring remote wipe capabilities, conducting security awareness training, and enforcing passwords and data encryption

What balances the cost of security controls with the potential impact of security incidents?

An organization's risk tolerance

How should an information security manager measure the effectiveness of the security program?

By return on information security investment

What is the subsequent step defining communication channels and protocols for notifying and updating stakeholders during and after a disruption?

Reviewing the communications plan

What should an information security manager promote to overcome the perception that security is a hindrance to business activities?

The relevance and contribution of security

What are subsequent steps in creating a disaster recovery plan (DRP) after conducting a business impact analysis (BIA)?

Identifying the response and recovery teams, reviewing the communications plan, and developing response and recovery strategies

What is the primary purpose for continuous monitoring of security controls?

To ensure the effectiveness of controls and identify potential weaknesses

How can incident response teams best leverage the results of a business impact analysis (BIA)?

By assigning restoration priority during incidents based on the BIA findings

What is the next step for the information security manager after deciding to adopt a bring your own device (BYOD) strategy?

Define control requirements to ensure the security policy framework encompasses the new business model

What should an effective information security training program be based on?

Employees' roles and responsibilities, tailored to specific job functions

How is the evaluation of incident response effectiveness best supported?

By a post-incident review process

What is the primary responsibility of an information security manager in an organization implementing the use of company-owned mobile devices?

To require remote wipe capabilities for devices to enhance security

What is the best option to lower the cost of implementing application security controls?

Integrate security activities within the development process to address security throughout the SDLC

What should the information security manager communicate when reporting to senior management?

Potential business impact with regard to open items from the risk register

What are stolen data breaches related to, despite incident response testing?

Security breaches that may occur despite the incident response plan or process

What is the subsequent step after a risk assessment to ensure the security policy framework aligns with the BYOD strategy?

Defining control requirements

What is the MOST effective way to lower the cost of implementing application security controls?

Integrate security activities within the development process to address security throughout the SDLC

What is the primary responsibility for an information security manager after adopting a bring your own device (BYOD) strategy?

Define control requirements to ensure the security policy framework encompasses the new business model

What is the GREATEST inherent risk when performing a disaster recovery plan (DRP) test?

Disruption to the production environment

Which activity is designed to handle a control failure that leads to a breach?

Incident management

What should an information security manager initiate FIRST when a finance department director decides to outsource the organization's budget application?

Determine the required security controls for the new solution

What is the GREATEST benefit of conducting an organization-wide security awareness program?

Improving incident response effectiveness

What should an information security manager determine before outsourcing?

Security controls based on risk appetite, policies, and regulatory requirements

How is integrating information security governance into corporate governance best enabled?

By an information security steering committee with business representation

When is the most appropriate time to conduct a disaster recovery test?

After major business processes have been redesigned

What should be the highest priority for an organization creating an enterprise strategy for protecting data across multiple repositories?

Data encryption standards

What is the most useful for an information security manager when determining the need to escalate an incident to senior management?

The organizational risk register

What would be most helpful to identify worst-case disruption scenarios?

Business impact analysis (BIA)

What should be the highest priority for an organization with a high volume of sensitive data and limited resources?

Data retention strategy

What are essential for measuring the effectiveness of information security governance?

Key performance indicators (KPIs)

What best enables the integration of information security governance into corporate governance?

Clear lines of authority across the organization

What should an information security manager obtain on the service providers' hosting environment?

Audit reports

What is the primary responsibility of security policy provisions in an organization's information security governance framework?

To establish and maintain a framework for information security governance

Which security objective best ensures that information is protected against unauthorized disclosure?

Confidentiality

What is the most important factor in an organization's selection of a key risk indicator (KRI)?

The criticality of information

What is the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, consistent with applicable laws and regulations, and managed effectively and efficiently?

Information security governance

Which of the following is a perspective typically included in a balanced scorecard for information security governance?

Financial

What does confidentiality mean in the context of information security?

Only authorized parties can access or view sensitive information

What is the purpose of a balanced scorecard in information security governance?

To measure and communicate the performance and progress of an organization toward its strategic goals

What is the role of the criticality of information in prioritizing risks?

To prioritize risks and focus on the most significant ones

What is the primary purpose of an information security program?

To achieve specific objectives within constraints such as time, budget, scope, and quality

What is the primary responsibility of security policy provisions in aligning the information security governance framework with business strategy and objectives?

To establish and maintain a framework for information security governance

What is the primary focus of risk management?

Identifying, analyzing, evaluating, treating, monitoring, and communicating risks

Which of the following is an essential component of an information security governance framework?

Establishing and maintaining a framework for information security governance

What is the most important consideration when determining which type of failover site to employ?

Recovery time objectives (RTOs)

What does confidentiality mean in the context of information security?

Only authorized parties can access or view sensitive information

What is the primary responsibility of an information security manager regarding compliance requirements?

Embedding compliance requirements within operational processes

What is the primary responsibility of an information security manager implementing company-owned mobile devices?

To ensure compliance with relevant laws and regulations

What is the main purpose of a balanced scorecard in the context of information security programs?

Measuring and reporting on key performance indicators and key risk indicators

What is the primary focus of security metrics in the context of information security program effectiveness?

Reporting to key stakeholders regarding the effectiveness of an information security program

What is the primary focus of performance in an organizational context?

Achieving organizational objectives or meeting standards

What is the primary goal of regulatory compliance?

Following external legal mandates set forth by governments

What is the main focus of recovery time objectives (RTOs) in the context of failover sites?

Determining which type of failover site to employ

What is the primary focus of embedding compliance requirements within operational processes?

Providing ongoing assurance that legal and regulatory compliance requirements can be met

What is the most important aspect of project management in an organizational context?

Planning, executing, and monitoring projects to achieve specific objectives within constraints

What is the primary focus of security metrics in the context of information security program effectiveness?

Reporting to key stakeholders regarding the effectiveness of an information security program

Which of the following is the BEST way to enable an organization to enhance its incident response plan processes and procedures?

Lessons learned analysis

A risk assessment exercise has identified the threat of a denial of service (DoS) attack. Executive management has decided to take no further action related to this risk. The MOST likely reason for this decision is:

The cost of implementing controls exceeds the potential financial losses

An organization has introduced a new bring your own device (BYOD) program. The security manager has determined that a small number of employees are utilizing free cloud storage services to store company data through their mobile devices. Which of the following is the MOST effective course of action?

Assess the business need to provide a secure solution

What is the BEST way to determine the maturity of an information security program?

Security metrics

Before relying on a vendor's certification for international security standards, what is the MOST important for the information security manager to confirm?

Certification scope is relevant to the service being offered

What is the primary purpose of security metrics in an information security program?

Evaluate the current state of security

In the context of information security, what is the BEST way to communicate the value and impact of security to stakeholders?

Security metrics

What is the most appropriate metric for evaluating the incident notification process?

Elapsed time between detection, reporting, and response

What is the primary objective of performing a post-incident review?

Re-evaluate the impact of the incident and identify areas for improvement

What is the greatest value provided by a Security Information and Event Management (SIEM) system?

Facilitating the monitoring of risk occurrences

Which is the best technical defense against unauthorized access to a corporate network through social engineering?

Multi-factor authentication (MFA)

What is the most important factor for an effective information security program?

Senior management support

What is the best type of indicator for an information security status report for management?

Key risk indicators (KRIs)

What is the primary focus of a Security Information and Event Management (SIEM) system?

Monitoring of risk occurrences

What is the primary responsibility of an information security manager implementing multi-factor authentication (MFA)?

Defending against unauthorized access through social engineering

What is the primary benefit of maintaining a repository base of security policies?

Providing easy access to security policies

What is the most appropriate factor for evaluating the incident notification process?

Elapsed time between detection, reporting, and response

What is the primary role of multi-factor authentication (MFA) in information security?

Defending against unauthorized access through social engineering

What is the most appropriate metric for evaluating the incident notification process?

Elapsed time between detection, reporting, and response

What is spoofing commonly used for in cybersecurity?

Gaining unauthorized access to secure systems by faking the sender's address

How can spoofing trusted email addresses be exploited by attackers?

Sending phishing emails containing malicious links or attachments

What is the primary objective of a business impact analysis (BIA) in cybersecurity?

Determining recovery priorities

What does an incident response plan include instructions for?

Detecting, responding to, and recovering from security incidents

Who may be part of the incident response team?

Security analysts, IT staff, legal counsel, and other stakeholders

What is the primary purpose of an information security status report for management?

Include a list of recent security events and key risk indicators (KRIs)

What does a business impact analysis (BIA) help identify and analyze?

Potential incident effects on the organization, including financial, operational, and reputational impacts

What are key aspects of an incident response plan that the response team needs to be familiar with?

Communication protocols, incident classification, and incident review processes

How can incident response plan execution be facilitated?

By ensuring the response team is trained on the plan

What is the primary focus of a balanced scorecard in the context of information security programs?

Balancing the performance of the security program across multiple perspectives

What does an incident response plan include instructions for?

Detecting, responding to, and recovering from security incidents

What does an incident response plan include instructions for?

Detecting, responding to, and recovering from security incidents

What is the most important consideration when defining a recovery strategy in a business continuity plan (BCP)?

The organizational tolerance to service interruption

What is the best way to reduce the risk associated with a bring your own device (BYOD) program?

Implement a mobile device policy and standard, including guidelines and rules regarding the use of mobile devices and requirements for secure mobile device practices

What is the primary basis for a severity hierarchy for information security incident classification?

The adverse effects on the business

Why should spoofing be prevented in information security?

It may be used to gain illegal entry to a secure system by faking the sender's address

What is the best approach to incident response for an organization migrating to a cloud-based solution?

Revise incident response procedures to encompass the cloud environment

What is the primary basis for determining the value of assets in information security governance?

The business cost when assets are not available

What is the best way to integrate information security governance into enterprise governance?

By establishing an information security steering committee

What is the most important security consideration when granting remote access to confidential information to a vendor for analytic purposes?

The vendor must agree to the organization's information security policy

What should the information security manager's first step be to ensure the security policy framework encompasses a new business model?

Perform a gap analysis

What is the best security process to prevent the exploitation of system vulnerabilities?

Regularly updating and applying patches

What is the best support for information security management in the event of organizational changes in security personnel?

Current documentation of security processes

What is the most important to include in a post-incident review following a data breach?

Evaluations of the adequacy of existing controls

Who is responsible for determining the initial recovery time objective (RTO) in a business impact analysis (BIA)?

The business continuity coordinator

What is the first action an information security manager should take when an employee reports the loss of a personal mobile device containing corporate information?

Initiating incident response

What is the best way to ensure that security is integrated during application development?

Providing training on secure development practices to programmers

What is the best way to ensure a disaster recovery plan can be carried out in an emergency?

Requiring disaster recovery documentation to be stored with all key decision makers

What is the most effective way to help staff members understand their responsibilities for information security?

Requiring staff to participate in information security awareness training

What is the most helpful approach for properly scoping the security assessment of an existing vendor?

Reviewing controls listed in the vendor contract

What is not the best way to ensure a disaster recovery plan can be carried out in an emergency?

Storing disaster recovery documentation in a public cloud

What is not the most helpful approach for properly scoping the security assessment of an existing vendor?

Focusing the review on the infrastructure with the highest risk

What would provide the MOST useful information for planning purposes when preparing an action plan to achieve compliance with local regulatory requirements by an established deadline?

Results from a gap analysis

What is the primary purpose of a gap analysis in the context of compliance planning?

To identify potential areas for improvement

What does a gap analysis help to prioritize in the context of compliance planning?

Actions needed to close the gaps

Which assessment process compares actual performance with expected performance to identify areas for improvement in compliance planning?

Gap analysis

What is the PRIMARY objective of performing a vulnerability assessment following a business system update?

Review the effectiveness of controls

Which of the following is the PRIMARY objective of incident triage?

Categorization of events

Which of the following should an information security manager do FIRST after a new cybersecurity regulation has been introduced?

Consult corporate legal counsel

Which of the following is the BEST justification for making a revision to a password policy?

A risk assessment

What is the PRIMARY benefit of conducting a risk assessment?

Evaluating potential threats and vulnerabilities

What is the GREATEST risk of blindly following a vendor recommendation for password policy?

Exposure to new vulnerabilities

Which of the following is the MOST important reason to conduct interviews as part of the business impact analysis (BIA) process?

To identify and analyze impacts on business functions

What is the primary purpose for continuous monitoring of security controls?

To review the effectiveness of controls

What justifies continued investment in an information security program?

A risk assessment

What is the main focus of security metrics in the context of information security program effectiveness?

Reviewing the effectiveness of controls

What is the primary responsibility of security policy provisions in an organization's information security governance framework?

To provide guidance and direction

What is the BEST way to enable an organization to enhance its incident response plan processes and procedures?

Conducting a risk assessment

What is the best evidence of alignment between corporate and information security governance?

Senior management sponsorship

What should an information security team do upon discovering users sharing a login account in violation of access policy?

Present the risk to senior management

What is the best way to assess the risk associated with using a Software as a Service (SaaS) vendor?

Verify that information security requirements are included in the contract

What is the greatest concern from a penetration test against an organization's external web application?

The exploit code for one of the vulnerabilities being publicly available

What is the best reason to conduct a social engineering test in a call center?

Identify candidates for additional security training and assess staff awareness and skills in recognizing and resisting social engineering attacks

What is the best way to ensure timely and reliable access to services?

Availability

What is the primary focus of business impact analysis (BIA)?

Identify critical processes and assets that need protection

What is the best way to evaluate the appropriateness of controls currently in place?

Define the security policy

What should a multinational organization's chief information security officer (CISO) be most concerned with?

Developing a security program that meets global and regional requirements

What does compliance with regulatory requirements involve, in addition to considering deadlines and penalties for noncompliance?

Understanding how to achieve compliance and what actions are needed

What does an inventory of security controls in place help assess?

The current compliance state

What is the best evidence of successful alignment between corporate and information security governance?

Senior management sponsorship

What is the best way to ensure an organization's risk appetite is considered as part of the risk treatment process?

Establishing key risk indicators (KRIs)

What is the primary benefit of introducing a single point of administration in network monitoring?

It allows administrative staff to make management decisions

What is the primary reason to create and externally store the disk hash value during forensic data acquisition from a hard disk?

To validate the integrity during analysis

What is the primary responsibility of security policy provisions in aligning the information security governance framework with business strategy and objectives?

To ensure that a new server is appropriately secured

What is the primary focus of risk management?

To establish key risk indicators (KRIs)

What is the primary purpose for continuous monitoring of security controls?

To detect and respond to security incidents

What is the primary focus of a Security Information and Event Management (SIEM) system?

To detect and respond to security incidents

What is the primary purpose of security metrics in an information security program?

To measure and track the effectiveness of security controls

What is the primary focus of performance in an organizational context?

To achieve organizational objectives efficiently and effectively

What is the primary responsibility of an information security manager in an organization implementing the use of company-owned mobile devices?

To ensure that information is protected against unauthorized disclosure

What is the primary objective of performing a post-incident review?

To identify areas for improvement in the incident response process

What is the primary focus of security metrics in the context of information security program effectiveness?

To measure and track the effectiveness of security controls

What is the best course of action for an information security manager in the event of a serious vulnerability in a cloud application?

Report the situation to the business owner of the application

What is the most effective indication of an information security awareness training program?

An increase in the identification rate during phishing simulations

In the development of an information security strategy, whose input is of greatest importance?

Process owners

What is the best way to monitor for advanced persistent threats (APTs)?

Search for anomalies in the environment, such as unusual network traffic or user behavior

What is the most important factor to consider when determining asset valuation?

The potential business loss

What is the first step in developing an information security strategy?

Perform a gap analysis based on the current state

In the context of developing an information security strategy, what provides the most useful input to determine the organization's information security strategy?

Laws and regulations

What should an information security manager do when believing that information has been classified inappropriately?

Refer the issue to internal audit for a recommendation

What is the most important consideration for an information security manager when developing a multi-year plan?

Ensure alignment with the plans of other business units

What is the best action for an information security manager in the context of developing a multi-year plan?

Ensure alignment with the plans of other business units

What is the best way to eradicate threats and restore secure systems in incident response?

Eradication is the best way

What is the best way to identify the effectiveness of an information security awareness training program?

An increase in the identification rate during phishing simulations

What is the GREATEST challenge with assessing emerging risk in an organization?

Incomplete identification of threats

Which of the following would be the BEST way for an information security manager to improve the effectiveness of an organization's information security program?

Collaborate with business and IT functions in determining controls

What is the PRIMARY responsibility of security policy provisions in aligning the information security governance framework with business strategy and objectives?

Guiding the development of security controls

What is the MOST useful for an information security manager when determining the need to escalate an incident to senior management?

Potential impact on operations

What is the most effective way to gain senior management approval of security investments in network infrastructure?

Demonstrating that targeted security controls tie to business objectives

What should be the primary focus when mitigating security risks associated with emerging technologies?

Addressing unknown vulnerabilities

What is the most likely risk scenario to emerge from a supply chain attack?

Loss of customers due to unavailability of products

What must an information security manager assess for change requests?

Impact on information security risk

What is the best approach to make strategic information security decisions?

Establish an information security steering committee

How can effective strategic alignment of security initiatives be facilitated?

Having organizational units contribute to and agree on priorities

What is the most important aspect when conducting a forensic investigation?

Maintaining a chain of custody

What is the most effective measure in preventing the introduction of vulnerabilities that may disrupt the availability of a critical business application?

A patch management process

What are some reference materials for information security management?

Certified Information Security Manager (CISM) Study Manual and various ISACA resources and journals

What does the CISM Study Manual emphasize the importance of?

Tying security controls to business objectives

What does the information security steering committee provide oversight and guidance on?

Security policies, strategies, and technology implementation

What does effective strategic alignment of security initiatives involve?

Alignment with business goals, collaboration between units, and prioritization based on risk and value

What is the primary objective of the information security incident response process?

To minimize negative impact to critical operations

What is the first step to gain approval for outsourcing to address a security gap?

Developing a cost-benefit analysis

How should an information security manager determine the comprehensiveness of an organization's information security strategy?

By conducting an internal security audit

What should the information security manager recommend as the first step when an organization wants to implement a new standard related to an emerging technology?

Perform a risk assessment on the new technology

What is the best security control for an organization that permits the storage and use of its critical and sensitive information on employee-owned smartphones?

Establishing the authority to remote wipe

How can senior management's concern about the organization's intrusion prevention system (IPS) repeatedly disrupting business operations be addressed?

By decreasing false positives

What is the main benefit of implementing a data loss prevention (DLP) solution?

To eliminate the risk of data loss

What should an organization do to maintain legally admissible evidence?

Have documented processes around forensic records retention

What should the security control for an organization allowing the storage of critical information on employee-owned smartphones align with?

The organization's overall security strategy

What should the information security manager prioritize before adopting new technology standards?

Risk assessment

What should be done to ensure minimal disruption to business operations caused by the organization's intrusion prevention system (IPS)?

Tune the IPS to reduce false positives

What should the implementation of a data loss prevention (DLP) solution complement?

An organization's overall security controls and strategies

What is crucial for maintaining legally admissible evidence and preventing tampering or loss?

Chain of custody forms with points of contact

What is NOT sufficient to maintain legally admissible evidence?

Robust legal framework and notes of legal actions

What is NOT sufficient for maintaining legally admissible evidence?

Technical actions alone

After learning of a data breach at the organization's hosted payroll service provider, what should the information security manager FIRST do?

Validate the breach with the provider

What should the outsourcing agreement for disaster recovery activities MOST importantly include?

Disaster recovery communication plan

What is MOST important for effective risk decision making?

Established risk domains

What is the GREATEST concern resulting from the lack of severity criteria in incident classification?

Ineffective escalation procedures

What is NOT the GREATEST concern resulting from the lack of severity criteria in incident classification?

Timely detection of attacks being impossible

How should an organization test for the existence of backdoors in a mission-critical business application?

Scan the entire application using a vulnerability scanning tool

What can lead to ineffective escalation procedures due to its absence?

Lack of severity criteria in incident classification

What is the MOST effective course of action to test for the existence of backdoors in a mission-critical business application?

Scan the entire application using a vulnerability scanning tool

What should the information security manager FIRST do when an employee reports the loss of a personal mobile device containing corporate information?

Validate the breach with the provider

What is the primary benefit to an organization that maintains an information security governance framework?

Managing business risks to an acceptable level

What is the best evidence of alignment of information security governance with corporate governance?

Average return on investment (ROI) associated with security initiatives

What is the first course of action for an information security manager upon discovering an HVAC vendor with remote access to stores?

Reviewing the vendor contract

What enables an informed decision by senior management when developing a business case to justify an information security investment?

Results of a risk assessment

What is the primary benefit of maintaining an information security governance framework?

Managing business risks to an acceptable level

What should an information security manager's first course of action be when discovering an HVAC vendor with remote access to stores?

Reviewing the vendor contract

What is the primary benefit of maintaining a repository base of security policies?

Communicating information security guidelines across the enterprise

What is the primary focus of risk management?

Managing business risks to an acceptable level

What is the primary benefit of conducting an organization-wide security awareness program?

Communicating information security guidelines across the enterprise

What is the primary purpose of an information security status report for management?

Measuring the effectiveness of security controls

What is the primary responsibility of security policy provisions in aligning the information security governance framework with business strategy and objectives?

Aligning with business strategy and objectives

What is the best evidence of alignment of information security governance with corporate governance?

Average return on investment (ROI) associated with security initiatives

What is MOST useful to an information security manager when conducting a post-incident review of an attack?

Method of operation used by the attacker

When is penetration testing MOST appropriate?

New system is about to go live

What is the PRIMARY reason to perform regular reviews of the cybersecurity threat landscape?

To compare emerging trends with the existing organizational security posture

Which desired outcome BEST supports a decision to invest in a new security initiative?

Reduction of organizational risk

What is the PRIMARY goal of the eradication phase in an incident response process?

Remove the threat and restore affected systems

In the development of a request for proposal (RFP) for a new outsourced service, what should the security manager PRIMARILY focus on defining?

Security requirements for the process being outsourced

Which of the following factors has the GREATEST influence on the successful implementation of information security strategy goals?

Management support

What should be considered FIRST when recovering a compromised system that needs a complete rebuild?

Configuration management files

Who is BEST suited to determine how the information in a database should be classified?

Data owner

Which of the following roles is BEST able to influence the security culture within an organization?

Chief information security officer (CISO)

What is the GREATEST responsibility of security policy provisions in aligning the information security governance framework with business strategy and objectives?

Defining security requirements

What is the PRIMARY focus of risk management?

Identifying and mitigating potential risks

What is the PRIMARY purpose of an information security status report for management?

Providing an overview of the organization's security posture

What BEST enables the integration of information security governance into corporate governance?

Defining security requirements

What should the information security manager FIRST do when an employee reports the loss of a personal mobile device containing corporate information?

Activate remote wipe capabilities

What is the BEST way to evaluate the appropriateness of controls currently in place?

Conduct a security audit

What is the balanced scorecard primarily used for in the context of information security strategy?

Demonstrating alignment with business objectives

What is the strongest justification for granting an exception to the security policy on USB storage devices?

Benefit outweighs potential risk

What is a potential benefit of USB storage devices according to the text?

Data mobility and backup

What is a potential security risk associated with USB storage devices?

Introducing malware

What is NOT considered a strong justification for granting an exception to the security policy on USB storage devices?

Enabling USB based on user roles

What should an exception to a security policy be justified by?

Clear and compelling reason

When can USB storage devices be granted an exception according to the text?

If the benefit is greater than potential risk

What should incident response teams document during the containment phase of incident response?

Actions required to remove the threat

What is NOT a potential security risk posed by USB storage devices?

Access restricted to read-only

What is NOT a potential benefit of USB storage devices according to the text?

Access restricted to read-only

What is the primary focus of justifying an exception to a security policy according to the text?

Clear and compelling reason

What is the primary responsibility of incident response teams during the containment phase?

Documenting actions required to remove the threat

What should an organization prioritize when aligning a security awareness program with the business strategy?

People and culture

What is the primary focus of security risk assessment?

Identifying potential threats and vulnerabilities

What should an organization do when considering replacing desktop computers with tablets for shift-based staff?

Conduct a mobile device risk assessment

What is the best course of action for an information security manager regarding leveraging social network platforms?

Assess the security risk associated with their use

What should an organization prioritize when developing security controls for the use of social networks?

Results of security risk assessment and alignment with the organization's risk appetite

What is essential to ensure when aligning information security with the organization's strategy?

Prioritizing business goals and protecting critical assets

What is involved in security risk assessment?

Identifying, analyzing, and evaluating potential threats and vulnerabilities

What is the primary consideration before establishing processes to publish content on social networks?

Assessing security risk and implementing necessary controls

What may not be feasible or effective in the context of social network platforms?

Conducting vulnerability assessments

What should the information security manager do to support leveraging social network platforms?

Report the decision to the compliance officer and update details within the risk register

What is the primary basis for an information security strategy?

The organization's vision and mission

What do key risk indicators (KRIs) provide?

Early warnings of potential exposure to risk

What is the most important factor when deciding the level of protection for an information asset?

The asset's importance to the organization's operations

What is the best indication of information security strategy alignment with the organization's objectives?

The number of business objectives directly supported by information security initiatives

What is the most important detail to capture in an organization's risk register?

The risk ownership

What is the best analysis to identify the external influences to an organization's information security?

Threat analysis

What is the most important factor to obtain senior leadership support when presenting an information security strategy?

The strategy aligns with management's acceptable level of risk

What should an organization planning to leverage popular social network platforms to promote its products and services do?

Conduct a risk assessment and implement appropriate controls to manage the associated risks

What is crucial when obtaining support for an information security program?

Ensuring that all stakeholders understand the importance of information security and the associated risks

What should an organization capture in its risk register to ensure risks are actively managed?

Risk ownership

What should the information security strategy align with to obtain senior leadership support?

Management's acceptable level of risk

What should an organization do to promote its products and services on popular social network platforms?

Conduct a risk assessment and implement appropriate controls to manage the associated risks

What is important to capture in an organization's risk register?

Risk ownership

What is the best approach to obtain support for a new organization-wide information security program?

Ensuring that all stakeholders understand the importance of information security and the associated risks

Which of the following should include contact information for representatives of equipment and software vendors?

Business continuity plan (BCP)

What is the BEST way to demonstrate that an information security program provides appropriate coverage?

Maturity assessment

What is the best action for the system admin manager to address the issue of negligent handling of incident alerts by system admins?

Provide incident response training to data custodians

What is the PRIMARY purpose of an information security status report for management?

To communicate the effectiveness of security controls

What is the sole responsibility of the client organization when adopting a Software as a Service (SaaS) model?

Data classification

What is the PRIMARY reason for ensuring clearly defined roles and responsibilities are communicated to users with administrative privileges?

Increased accountability

What is the BEST way for the information security manager to help senior management understand the related risk of unpatched software on user workstations?

Include the impact of the risk as part of regular metrics

Information security controls should be designed PRIMARILY based on:

business risk scenarios

Labeling information according to its security classification:

enhances the likelihood of people handling information securely

Management decisions concerning information security investments will be MOST effective when they are based on:

the reporting of consistent and periodic assessments of risks

An information security manager has been tasked with developing materials to update the board, regulatory agencies, and the media about a security incident. What should the information security manager do FIRST?

Determine the needs and requirements of each audience

What is the BEST justification for making a revision to a password policy?

Change in regulatory requirements

What is the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, consistent with applicable laws and regulations, and managed effectively and efficiently?

Security governance

What is the primary reason to create and externally store the disk hash value during forensic data acquisition from a hard disk?

To verify the integrity of the acquired data

What is the primary purpose for continuous monitoring of security controls?

To identify security control weaknesses

What should an organization capture in its risk register to ensure risks are actively managed?

All identified risks

What is the best tool to monitor the effectiveness of information security governance?

Balanced Scorecard

Who is the most appropriate person to own the risk associated with the failure of a privileged access control?

Business Owner

During the initiation phase of the system development life cycle (SDLC) for a software project, what should information security activities address?

Baseline security controls

What is the most important element in achieving executive commitment to an information security governance program?

Aligning the program with identified business drivers

To minimize the risk of data exposure when a user reports a stolen personal mobile device storing sensitive corporate data, what is the best action?

Wipe the device remotely

What is the most helpful for aligning security operations with the IT governance framework?

Security operations program

What are Recovery Time Objectives (RTOs) an output of?

Business Impact Analysis (BIA)

What does a Business Continuity Plan (BCP) describe?

Strategies and procedures for ensuring the continuity of critical business functions or processes

What does a Disaster Recovery Plan (DRP) describe?

Technical steps and resources for restoring IT systems and data

What are important elements for aligning security operations with the IT governance framework?

Information security policy and security risk assessment

What is a Service Level Agreement (SLA) not an output of?

Business Impact Analysis (BIA)

What is the best action to take during an active attack to prevent further access and limit the attack scope?

Not dumping event logs and not shutting off all network access points

What is the ultimate accountability of business data owners in the event of an information security incident at a third-party provider?

They are responsible for data loss

Who is responsible for implementing and enforcing security policies and standards, but not accountable for data loss at a third-party provider?

Information security manager

What is the best evidence to senior management that security control performance has improved?

Review of security metrics trends

Who is the most appropriate role to determine access rights for specific users of an application?

Data owner

What is the primary responsibility of the incident response team?

Managing incidents according to the incident response plan

What is the primary purpose of security metrics in the context of information security program effectiveness?

Measuring and demonstrating the effectiveness and efficiency of security controls over time

What is the best course of action when an online company discovers a network attack in progress?

Isolate the affected network segment

What is NOT recommended in response to an ongoing network attack?

Isolating the affected network segment

What is the responsibility of an information security manager on the change management committee?

To advise on change-related risk

Who is responsible for providing incident response training to data owners?

Not advisable to provide incident response training to data owners

Who is ultimately accountable for data loss at a third-party provider?

Business data owners

What is the responsibility of the service provider hosting the data in the event of data loss?

Not accountable for data loss

What is the primary objective of performing a post-incident review?

To identify the root cause of the incident and develop corrective actions

What is the most critical aspect when creating an incident response plan?

Identifying what constitutes an incident

What is the most effective way to mitigate the risk of external brute force attacks on critical systems?

Implementing multi-factor authentication

What has the greatest positive impact on the ability to execute the disaster recovery plan (DRP)?

Periodic updating of the DRP

What should the information security manager review first when an organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor?

Independent security assessment reports for each vendor

What is the first step before conducting full-functional continuity testing?

Verify that teams and individuals responsible for recovery have been identified and trained

What is the best way to obtain senior management support for an information security governance program?

Demonstrate the program's value to the organization

What does the Service Level Agreement (SLA) define?

Expectations and obligations between a service provider and consumer

What is the most critical factor in protecting an enterprise from advanced persistent threats (APTs)?

Implementing multi-layered defense mechanisms

What is the primary purpose of security metrics in an information security program?

To provide a quantitative measure of the effectiveness of security controls

What is the primary responsibility of an information security manager implementing multi-factor authentication (MFA)?

Enhancing the security of authentication processes

What is the primary purpose of continuous monitoring of security controls?

To detect and respond to security breaches in real-time

What is the BEST method to evaluate the effectiveness of an alternate processing site when continuous uptime is required?

Parallel test

From an information security perspective, legal issues associated with a transborder flow of technology-related items are MOST often related to:

Encryption tools and personal data

Which of the following BEST indicates that information security governance and corporate governance are integrated?

The information security steering committee is composed of business leaders

What is the MOST effective way to mitigate the risk of external brute force attacks on critical systems?

Implementing strong password policies

What is the primary purpose of a risk register in cybersecurity risk management?

To record and track identified risks, their likelihood, impact, mitigation strategies, and status

Why is it crucial for categorization methods for security incidents to have agreed-upon definitions?

To ensure a common understanding and communication among the incident response team and other stakeholders

What is the primary purpose of Key Performance Indicators (KPIs) in cybersecurity risk management?

To help senior management understand the status of information security compliance

What is the contribution of recovery point objective (RPO) to disaster recovery?

To define backup strategy by determining the maximum amount of acceptable data loss

What is the primary role of cybersecurity policies in an organization?

Provide the foundation for developing and implementing cybersecurity strategies, plans, procedures, standards, and guidelines

In the context of risk treatment, what does 'mitigate' mean?

Applying risk treatment option to reduce the impact or probability of a risk

What is the best approach for managing user access permissions to ensure alignment with data classification?

Review access permissions annually or whenever job responsibilities change

What is the primary reason to monitor key risk indicators related to information security?

To benchmark control performance

What is the first step when establishing a new data protection program that must comply with applicable data privacy regulations?

Create an inventory of systems where personal data is stored

What is the most important message to convey to employees in building a security risk-aware culture?

The responsibility for security rests with all employees

Who is responsible for determining the RTOs for critical processes and systems in Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) teams?

Business continuity officers

What is the primary reason for granting a security exception?

Justified by the benefit to the business

What is the best way to ensure an information security training program is most effective?

Base its contents on employees' roles

What is the best way to manage user access permissions to ensure alignment with data classification?

Review access permissions annually or whenever job responsibilities change

What is the primary role of the Federal Emergency Management Agency (FEMA) in determining RTOs?

Supports the role of BCP and DRP teams in determining RTOs

What is the primary responsibility of Recovery Time Objectives (RTOs) determination?

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) teams

What is the best approach for managing user access permissions to ensure alignment with data classification?

Review access permissions annually or whenever job responsibilities change

What is the primary reason to benchmark control performance by monitoring key risk indicators related to information security?

To benchmark control performance

What is the primary basis for determining Recovery Time Objectives (RTOs) according to the text?

Criticality of business functions and maximum acceptable outage

What is the most effective way to communicate forward-looking trends within security reporting according to the text?

Key performance indicators (KPIs)

What is crucial to ensure alignment with corporate governance objectives and legal and regulatory requirements according to the text?

Senior management review and approval of an information security strategic plan

What is the most important consideration for ensuring procurement decisions consider information security concerns when using Software as a Service (SaaS) according to the text?

Integrating information security risk assessments into the procurement process

What provides the most comprehensive insight into ongoing threats facing an organization according to the text?

A risk register

What is the most important way to communicate the effectiveness of an information security governance framework to stakeholders according to the text?

Establishing metrics for each milestone

What is the most important for confirming third-party provider compliance with an organization's information security requirements according to the text?

Including the right to audit in the service level agreement (SLA)

What is the most effective for testing applications to avoid unexpected outcomes in production according to the text?

Using real data that accurately reflects characteristics, patterns, and behaviors

What is NOT mentioned in the text as providing the most comprehensive insight into ongoing threats facing an organization?

Business impact analysis (BIA)

What is the most important for ensuring procurement decisions consider information security concerns when using Software as a Service (SaaS) according to the text?

Integrating information security risk assessments into the procurement process

What is most effective for communicating forward-looking trends within security reporting according to the text?

Key performance indicators (KPIs)

What provides the most comprehensive insight into ongoing threats facing an organization according to the text?

A risk register

What is the primary purpose of information asset classification?

Providing a basis for implementing a need-to-know policy

What is the best way to ensure the capability to restore clean data after a ransomware attack?

Maintain multiple offline backups

What is the primary concern raised by privileged employee access requests to production servers being approved without user actions being logged?

Lack of accountability

What is the primary benefit of information security culture being successful?

End users can identify and report incidents

What is the first step when a new vulnerability affecting key data processing systems is identified?

Re-evaluate the risk associated with the vulnerability

What is the primary purpose of a firewall in information security?

Monitor and filter network traffic

What is the main objective of mitigation in information security management?

Lessen the negative effects of a risk

What does a vulnerability represent in the context of information security?

A weakness that can be exploited by an attacker

What is the indication of a successful information security culture?

End users know how to identify and report incidents

What is the initial course of action for an information security manager when a newly introduced privacy regulation affects the business?

Identify and assess the risk in the context of business objectives

What does the best way to assess the risk associated with a vulnerability entail?

Re-evaluating the risk associated with the vulnerability

What is the primary support provided by information asset classification?

Providing a basis for implementing a need-to-know policy

What is the MOST important step before classifying a suspected event as a security incident?

Notify the business process owner

What should an information security manager do to address security risks not being treated in a timely manner?

Re-perform risk analysis at regular intervals

What does an email digital signature verify to the recipient?

The authenticity of the sender and message integrity

What is the primary action to take when developing materials to update stakeholders about a security incident?

Provide accurate and timely updates to all stakeholders

What is the best approach for managing user access permissions to ensure alignment with data classification?

Implementing role-based access control (RBAC) to restrict unauthorized access to sensitive data

What is the primary benefit of implementing a vulnerability assessment process?

Enhanced threat management

What is the first step when implementing a security program?

Perform a risk analysis to identify and prioritize potential threats and vulnerabilities

What is the best approach to ensure compliance with information security policy for a new application?

Perform a vulnerability analysis before implementation

What is the most important consideration when establishing an organization's information security governance committee?

Ensuring that members represent functions across the organization

What is the best assurance for applying security policies across business operations?

Documenting organizational standards in operational procedures

What is the primary benefit of introducing a single point of administration in network monitoring?

Centralized control and streamlined management

What is the first step when implementing a security program?

Perform a risk analysis to identify and prioritize potential threats and vulnerabilities

What is the best way to ensure compliance with information security policy for a new application?

Perform a vulnerability analysis before implementation

What is the primary benefit of implementing a vulnerability assessment process?

Enhanced threat management

What is NOT prevented by digital signatures according to the text?

Unauthorized access to email messages

What does an incident response plan need to include criteria for, according to an information security manager?

Escalation

What is the primary objective of a post-incident review of an information security incident?

To prevent recurrence

What is the most important information for influencing management's support of information security?

Demonstration of alignment with the business strategy

Why are threat and vulnerability assessments important?

Because they are the basis for setting control objectives

What is the first step in developing an information security strategy?

To identify key stakeholders to champion information security

What is the next step after establishing that an application has been breached?

To isolate the impacted systems from the rest of the network

What is the information security manager's first course of action after a penetration test conducted by an accredited third party?

To report findings to senior management

What is the best reason for an organization to use Disaster Recovery as a Service (DRaaS)?

To lower the annual cost to the business

To ensure that relevant controls are applied to a project, what is the most helpful action?

Identifying responsibilities during the project business case analysis

What is the best way to support the business case for an increase in the information security budget?

Cost-benefit analysis results

How can IT projects going over budget with too many security controls being added post-production be addressed?

By involving information security at each stage of project management

How would a data classification framework help ensure that relevant controls are applied to a project?

By providing it to stakeholders

What can be used to support the business case for an increase in the information security budget?

Cost-benefit analysis results

What is the best way to justify security budgets and prioritize spending based on expected outcomes?

Performing a cost-benefit analysis

Who is in the best position to evaluate business impacts?

The process manager

What is the most important consideration before classifying a suspected event as a security incident?

Notifying the business process owner

What is the most useful information for a newly hired information security manager developing an information security strategy?

The organization's mission statement and roadmap

When performing a business impact analysis (BIA), what should the business process owner calculate?

Recovery time and cost estimates

What is the best support for incident management in the event of attacks on an organization's supply chain?

Establishing communication paths with vendors

What is the most helpful in determining the criticality of an organization's business functions?

Business impact analysis (BIA)

What is the best for enabling regulatory compliance when employee account privileges need to be removed within a specific timeframe?

Privileged Access Management (PAM) system

What is the best way to incorporate media communication procedures into the security incident communication plan?

Include a single point of contact within the organization

What is the best way to ensure that the rationale for acceptance of information security risks is periodically reviewed in a rapidly changing environment?

Review security-related key risk indicators (KRIs)

What is the best indicator of an organization's information security status?

Controls audit

What is the best way to determine if an information security profile is aligned with business requirements?

Reviewing security-related key risk indicators (KRIs)

What is the primary method to build a robust information security culture in an organization?

Implementing an information security governance framework

What is the primary consideration when responding to a ransomware attack?

Ensuring the business can operate to minimize disruption

What is the best approach to protect newly acquired data assets prior to integration?

Performing a risk assessment

What is the best way to embed the organization's security objectives in business operations?

Implementing an information security governance framework

What is a buffer overflow best described as?

A function being carried out with more data than it can handle, presenting a security risk

What is essential when designing a disaster recovery plan?

Availability of Business Impact Analysis (BIA) results

What is the primary accountability of the data owner in an organization with a customer-facing SaaS application?

Addressing major security vulnerabilities at the primary cloud provider

What is the most important requirement for a successful security program?

Management decision on asset value

What is the best way to achieve compliance with new global regulations related to the protection of personal information?

Determining the current and desired state of controls

What primarily determines the level of protection required for assets?

Asset classification

What is most important for the effective implementation of an information security governance program?

Ensuring program goals are communicated and understood by the organization

What should be completed first when developing an asset classification program?

Creating an inventory

Which of the following has the MOST influence on the inherent risk of an information asset?

Business criticality

A critical server for a hospital has been encrypted by ransomware. Which of the following would MOST effectively allow the hospital to avoid paying the ransom?

A properly tested offline backup system

Which of the following is MOST important to ensure when developing escalation procedures for an incident response plan?

The contact list is regularly updated

Which of the following is MOST important for an information security manager to verify when selecting a third-party forensics provider?

The provider's experience and expertise in digital forensics

What is the best step to take in the event of losing a smartphone with sensitive data?

Remotely wipe the device

What is the best method to protect against advanced persistent threats (APTs)?

Implementing proactive systems monitoring

What primarily simulates real-world attacks when testing controls?

Performing black-box control tests

What results in the most accurate controls assessment?

Mature change management processes

Which action requires the most time to restore data for an application?

Full backup

What should be the information security manager's first course of action when an organization is targeted for a major emerging threat?

Validate the relevance of the information

What should be the first trigger when unknown malware infects an organization's critical system?

Activate the incident response plan

What greatly influences the successful adoption of an information security governance program?

Organizational culture

What is the best approach for governing noncompliance with security requirements?

Base mandatory review and exception approvals on inherent risk

What is the most important action for the information security manager when preventive controls are not feasible?

Managing the impact

What is being implemented when a security information and event management (SIEM) system is installed?

Detective control

What best indicates that information assets are classified accurately?

Appropriate prioritization of information risk treatment

What is the best practice for ensuring the integrity of a recovered system after an intrusion?

Reinstall the OS, patches, and applications from a backup

What is the primary focus of an information security manager during the development of a critical system storing highly confidential data?

Ensuring the amount of residual risk is acceptable

What is the best course of action after a server has been attacked?

Initiate incident response

What is the greatest concern when a risk owner approves exceptions to replace key controls with weaker compensating controls?

Risk levels may be elevated beyond acceptable limits

What is the primary purpose of aligning incident response capability with a public cloud service provider?

Update the incident escalation process

What is the best practice for information security management in a security breach scenario?

Isolating the impacted endpoints

What is the most helpful for determining which information security policies should be implemented by an organization?

Risk assessment

What should an information security manager prioritize when developing a security strategy for a new service subject to regulations?

Perform a gap analysis against the current state

What is the best indication of a mature information security culture?

Staff consistently considering risk in decision-making

What is the primary focus of risk mitigation in information security management?

Improving security controls

What is the most important step prior to conducting a forensic examination?

Create an image of the original data on new media to preserve the evidence

What is the primary reason for integrating the various assurance functions of an organization?

To enable consistent security

What is the best response to increasing cyberattacks?

Revalidating and mitigating risks through a risk assessment and mitigation plan

What is the best viable containment strategy for a distributed denial of service (DDoS) attack?

Redirecting the attacker's traffic

What is the most critical factor for information security governance?

Executive sponsorship and business alignment

What is the purpose of an email digital signature?

To verify the integrity of the email message

What is the best approach to ensure appropriate security controls are built into software?

Providing standards for implementation during development activities

What is the factor with the greatest influence on the successful integration of information security within the business?

Organizational structure and culture

What should be included in the business case for an information security initiative with a difficult ROI calculation?

Estimated reduction in risk

What is the best enabler for staff acceptance of information security policies?

Senior management support

What is the best facilitator for effective incident response testing?

Conducting tabletop exercises

What is the best way to integrate information security into corporate governance?

Effective information security governance

What is the primary benefit of including baseline standards for all locations in a global security policy?

Complying with local laws and regulations

What is the best way to measure the effectiveness of an information security program?

Alignment with business objectives

What is the primary objective of an information security governance framework?

To provide a baseline for optimizing the security profile of the organization and manage and reduce risk

What is the first consideration when deciding to move to a cloud-based model?

The physical location of the data

What is the best course of action for an information security manager due to changes in an organization's environment?

Evaluate countermeasures to mitigate new risks

What is important when implementing controls to manage risk to an acceptable level?

Obtaining input from risk owners

In the Infrastructure as a Service (IaaS) cloud model, who assumes the most security responsibility?

The cloud service buyer

What does establishing a clear definition of a security incident in an incident response plan primarily help in developing?

Effective escalation and response procedures

What should be the first step when developing a business case for a new intrusion detection system (IDS) solution?

Define the issues to be addressed

Who should provide approval of risk acceptance for non-compliant online collaboration service after a risk assessment?

Business senior management

What does the Certified Information Security Manager (CISM) Study Manual provide?

Explanations and guidance for various aspects of information security management and governance

What is valuable for professionals seeking to understand and implement effective information security practices and technologies in their organizations?

The information provided

What should the information security manager do FIRST when IT personnel are not adhering to the information security policy due to process inefficiencies?

Determine the risk related to noncompliance with the policy.

Following the deployment of which of the following techniques will security administration efforts be greatly reduced?

Role-based access control

What should be the information security manager's PRIMARY focus when a risk owner has accepted a large amount of risk due to the high cost of controls?

Establishing a strong ongoing risk monitoring process.

Which of the following presents the GREATEST challenge to a security operations center's early warning system of potential security breaches?

IT system clocks are not synchronized with the centralized logging server.

What is the most important basis for developing an effective information security program?

Having an information security strategy in place

Which is the best method to ensure compliance with password standards?

Encouraging the use of long passphrases

What is the most important for ensuring information stored by an organization is protected appropriately?

Defining information asset ownership

What is the best way to obtain organizational support for the implementation of security controls?

Establishing effective stakeholder relationships

What is the best justification for making a revision to a password policy?

A risk assessment

What should password syntax rules allow?

At least 8 characters and up to 64 characters, accept all printable ASCII characters and Unicode characters, and encourage the use of long passphrases

What is not the best way to ensure compliance with password standards?

Using password-cracking software

What is the best way to mitigate potential risks associated with a system or process?

Conducting a risk assessment

What is not the best way to obtain organizational support for the implementation of security controls?

Conducting periodic vulnerability assessments

What is the best way to ensure compliance with password standards?

Automated enforcement of password syntax rules

What is the best course of action for making a revision to a password policy?

Conducting a risk assessment

What is the best method to ensure compliance with password standards?

Automated enforcement of password syntax rules

Who is responsible for determining access levels to an application processing client information?

Business unit management

What is the primary focus for the information security manager when outsourcing IT operations?

Ensuring security requirements are included in the vendor contract

What is the first step for an information security manager after acquiring a company in a foreign country?

Assessing the existing information security laws

What is the greatest concern for an information security manager with outsourced data entry?

Data confidentiality

What is the first step to be taken when an IoT device is confirmed to have been hacked?

Disconnect the device from the network

What is the primary purpose of security metrics in information security?

Measuring control effectiveness and evaluating security posture

What is the responsibility of password policies according to the text?

To be based on the organization's information asset risks and protection needed

What is the benefit of aligning information security program requirements with employment and staffing processes?

Granting access based on task requirements

What is the purpose of including examples of help desk requests in user security awareness training?

To reflect frequently encountered incidents

What do secure transmission protocols protect transactions from?

Eavesdropping

What is the primary purpose of a balanced scorecard in information security governance?

Aligning security objectives with business goals

What is the responsibility of business unit management according to the text?

Determining access levels to an application processing client information

What is the primary focus of a balanced scorecard in the context of information security programs?

Linking financial, customer, internal process, and learning and growth perspectives

What is the most beneficial exercise for an incident response team at the first drill?

Structured walk-through exercise

What is the best way for an organization to ensure that incident response teams are properly prepared?

Conducting tabletop exercises appropriate for the organization

What is the most important criterion when deciding whether to accept residual risk?

Cost of replacing the asset

What is the primary benefit of maintaining an information security governance framework?

Communicating and monitoring vision and strategy

What is the primary responsibility of the incident response team?

Handling information security incidents

What is the primary purpose of Key Performance Indicators (KPIs) in cybersecurity risk management?

Measuring the effectiveness of security controls

What is the PRIMARY reason for ensuring clearly defined roles and responsibilities are communicated to users with administrative privileges?

Preventing misuse of administrative privileges

What should an organization capture in its risk register to ensure risks are actively managed?

Specific responsibilities and accountabilities for managing risks

What is the best way to present quarterly reports to the board on the status of the information security program?

Key Performance Indicators (KPIs)

What is the primary benefit of obtaining senior management buy-in for risk and control ownership?

Establishing authority and accountability of risk and control owners

What is the primary purpose for continuous monitoring of security controls?

Measuring the effectiveness of security controls

What is the BEST way to address the situation of several production databases not having owners assigned to them?

Assign responsibility to the database administrator (DBA).

Which of the following BEST helps to ensure a risk response plan will be developed and executed in a timely manner?

Training on risk management procedures

Which of the following provides the BEST evidence that a recently established information security program is effective?

The number of reported incidents has increased

What should an information security manager do FIRST upon learning that some security hardening settings may negatively impact future business activity?

Perform a risk assessment.

What is the responsibility of a risk owner?

Implementing controls to mitigate the risk

Which of the following is the BEST course of action to prevent further damage upon notification of a compromised endpoint device?

Isolate the endpoint device.

What is the PRIMARY benefit of an information security awareness training program?

Influencing human behavior

Which of the following is the MOST effective security outcome in an organization's contract management process?

Ensuring security requirements are defined at the request-for-proposal (RFP) stage

Which of the following would provide the MOST effective security outcome in an organization's contract management process?

Ensuring security requirements are defined at the request-for-proposal (RFP) stage

Which of the following is the BEST course of action upon noticing that several production databases do not have owners assigned to them?

Assign responsibility to the database administrator (DBA).

Which of the following is the MOST critical factor for information security program success?

The information security manager's knowledge of the business

What should the Chief Information Security Officer (CISO) do FIRST upon learning that a third-party service provider did not notify the organization of a data breach?

Determine the extent of the impact to the organization

What is the BEST way to ensure information security governance is aligned with corporate governance?

Integration of security reporting into corporate reporting

Which of the following is the BEST way to transform an organization's culture to support information security?

Strong management support

What is the BEST way to proceed when independent penetration test results show a high-rated vulnerability in a cloud-based application close to going live?

Postpone the implementation until the vulnerability has been fixed.

What is MOST important to have in place to help ensure an organization's cybersecurity program meets the needs of the business?

Information security governance

What is the BEST method for determining whether a firewall has been configured to provide a comprehensive perimeter defense?

A validation of the current firewall rule set

What is the MOST important factor of a successful information security program?

The program is focused on risk management.

What is a desired outcome of information security governance?

Improved risk management

When an organization quickly shifts to a work-from-home model with an increased need for remote access security, what should be given immediate focus?

Strengthening endpoint security

What should an information security manager do FIRST when a mandatory security standard hinders the achievement of an identified business objective?

Escalate to senior management.

What is the MOST accurate way to determine the alignment of an information security strategy with organizational goals?

Percentage of controls integrated into business processes

What is an information security manager's MOST important course of action when responding to a major security incident that could disrupt the business?

Identify the indicators of compromise.

What type of control is being considered when an organization creates a risk mitigation plan that considers redundant power supplies to reduce the business risk associated with critical system outages?

Preventive

What should be given the HIGHEST priority when an information security manager is tasked with leading the IT risk management process during a digital transformation?

Identification of risk

What is the PRIMARY advantage of involving end users in continuity planning?

They have a better understanding of specific business needs.

What is the most important consideration when defining how an information security budget should be allocated?

The information security strategy

What is the primary benefit of maintaining an information security governance framework?

Mitigating security risks

What is the greatest challenge to the recovery of critical systems and data following a ransomware incident?

Unavailability or corruption of data backups

What is the most important issue in a penetration test?

Having a defined goal and success criteria

What is the greatest threat posed by a distributed denial of service (DDoS) attack on a public-facing web server?

Unauthorized access

What is the best offering to assist customers in recovering from a security incident in a typical Infrastructure as a Service (IaaS) model?

Snapshot of virtual machines

What is the primary benefit of conducting a reverse lookup in preventing Internet Protocol (IP) spoofing?

Verifying the authenticity of the source IP address

What is the most important issue when there are significant exceptions to a newly released industry-required security standard?

Assessing the consequences of noncompliance

What is a common drawback of email software packages that provide native encryption of messages?

Inability to interoperate across product domains

What should the incident management team leader do after a cyberattack?

Conduct a meeting to capture lessons learned

What defines the triggers within a business continuity plan (BCP) according to the text?

The disaster recovery plan (DRP)

What is the best way to reduce the risk of security incidents from targeted email attacks?

Implementing a security awareness training program for employees

What is the first step an information security manager should take to comply with new security incident response requirements?

Conduct a gap analysis

What is the most useful source when planning a business-aligned information security program?

Business Impact Analysis (BIA)

What should be the highest priority during an information security post-incident review?

Evaluating the effectiveness of the incident response effort

What is the most effective way to prevent information security incidents?

Implementing a security awareness training program for employees

What is the primary focus of a Business Impact Analysis (BIA) in the context of information security?

Identifying the security controls and measures to reduce operational disruptions

What is the most useful way to obtain senior management support for an information security program?

Conducting a gap analysis to demonstrate areas for improvement

What is the primary objective of a post-incident review of an information security incident?

Evaluating the effectiveness of the incident response effort

What is the most important aspect of project management in an organizational context?

Aligning project goals with organizational strategy

What is the primary role of multi-factor authentication (MFA) in information security?

Preventing unauthorized access by requiring multiple credentials

What is the purpose of a balanced scorecard in information security governance?

To align security metrics with organizational objectives

What should be the highest priority for an organization creating an enterprise strategy for protecting data across multiple repositories?

Developing a comprehensive data classification policy

What is the primary advantage of single sign-on (SSO)?

It enhances the efficiency of access management

How can confidentiality of content when accessing an email system over the Internet be ensured?

By using digital encryption

What is the most important consideration of business continuity management?

Ensuring human safety

What is the primary advantage of a balanced scorecard in the context of information security programs?

It provides a comprehensive view of security performance

What is the best course of action for the information security manager if a threat intelligence report indicates a large number of ransomware attacks targeting the industry?

Assess the risk to the organization

What should be the primary focus of an incident response plan?

Ensuring incidents are responded to by the appropriate individuals

What is the most effective message to obtain senior management's commitment to information security management?

Security supports and protects the business

What is the best course of action for the information security manager when the business activity residual risk is lower than the acceptable risk level?

Monitor the effectiveness of controls

What is the most important component of monthly information security reports to the board?

Trend analysis of security metrics

What is the best course of action for the information security manager if a soon-to-be deployed online application will increase risk beyond acceptable levels?

Present a business case for additional controls to senior management

What is the most important factor to consider when reevaluating risk in information security management?

Changes in the threat landscape

What should the new information security manager review when developing an information security strategy for a non-regulated organization?

Management's business goals and objectives

Study Notes

Information Security Manager Responsibilities and Best Practices

• The primary responsibility of an information security manager implementing company-owned mobile devices is to review and update existing security policies.
• Security policies define the goals, objectives, and requirements for protecting information and systems and should be regularly reviewed and updated.
• The information security manager should address aspects like scope, acceptable use, security standards, roles and responsibilities, procedures, and incident response in security policies.
• The review and update of security policies align the security program with business objectives, risk appetite, and applicable laws and regulations.
• Requiring remote wipe capabilities, conducting security awareness training, and enforcing passwords and data encryption are possible actions or controls derived from updated security policies.
• The effectiveness of an organization's information security program is best measured by return on information security investment.
• To overcome the perception that security is a hindrance to business activities, an information security manager should promote the relevance and contribution of security.
• Protecting an enterprise from advanced persistent threats (APTs) is most helpful with defined security standards.
• When choosing controls to mitigate risk, the information security manager's decision should be mainly driven by regulatory requirements.
• Defined levels of severity are the best determinant of resource allocation during a security incident response.
• The first step an information security manager should take when creating an organization's disaster recovery plan (DRP) is to conduct a business impact analysis (BIA).
• Identifying the response and recovery teams, reviewing the communications plan, and developing response and recovery strategies are subsequent steps in creating a DRP.

Information Security Management - Key Concepts and Best Practices

• Regular incident response testing cannot prevent brute force attacks, which are related to security threats from external sources.
• Stolen data cannot be prevented by regular incident response testing as it is related to security breaches that may occur despite the incident response plan or process.
• The primary purpose for continuous monitoring of security controls is to ensure the effectiveness of controls, including identifying potential weaknesses and addressing them.
• Incident response teams can best leverage the results of a business impact analysis (BIA) by assigning restoration priority during incidents based on the BIA findings.
• After deciding to adopt a bring your own device (BYOD) strategy, the next step for the information security manager is to define control requirements to ensure the security policy framework encompasses the new business model.
• An effective information security training program should be based on employees' roles and responsibilities, tailored to specific job functions.
• The evaluation of incident response effectiveness is best supported by a post-incident review process.
• To lower the cost of implementing application security controls, the best option is to integrate security activities within the development process to address security throughout the software development life cycle (SDLC).
• The primary responsibility of an information security manager in an organization implementing the use of company-owned mobile devices is to require remote wipe capabilities for devices to enhance security.
• The information security manager should communicate potential business impact with regard to open items from the risk register when reporting to senior management.
• Defining control requirements is the next step after a risk assessment to ensure the security policy framework aligns with the BYOD strategy.
• Integrating security activities within the development process is the best option to lower the cost of implementing application security controls.

Information Security Program Effectiveness and Key Considerations

• Project management involves planning, executing, and monitoring projects to achieve specific objectives within constraints such as time, budget, scope, and quality.
• Balanced scorecards can measure the performance of individual projects or project portfolios but are not specific to information security projects.
• Performance is the degree to which an organization or a process achieves its objectives or meets its standards.
• Risk management involves identifying, analyzing, evaluating, treating, monitoring, and communicating risks that affect an organization's objectives.
• An online bank should first isolate the affected network segment in the event of a successful network attack.
• Security metrics are the most important to include in a report to key stakeholders regarding the effectiveness of an information security program.
• An information security program is a set of policies, procedures, standards, guidelines, and tools aimed at protecting an organization's information assets from threats and ensuring compliance with laws and regulations.
• Embedding compliance requirements within operational processes provides ongoing assurance that legal and regulatory compliance requirements can be met.
• Regulatory compliance involves following external legal mandates set forth by state, federal, or international governments.
• A balanced scorecard demonstrates the added value of an information security program by measuring and reporting on key performance indicators and key risk indicators aligned with strategic objectives.
• Recovery time objectives (RTOs) are the most important consideration when determining which type of failover site to employ.
• Different types of failover sites, such as hot sites, warm sites, and cold sites, vary in terms of availability, cost, and complexity.

Information Security Governance and Best Practices

• The best way to integrate information security governance into enterprise governance is by establishing an information security steering committee.
• When granting remote access to confidential information to a vendor for analytic purposes, the most important security consideration is that the vendor must agree to the organization's information security policy.
• The primary basis for determining the value of assets should be the business cost when assets are not available.
• The best way to reduce the risk associated with a bring your own device (BYOD) program is to implement a mobile device policy and standard, including guidelines and rules regarding the use of mobile devices and requirements for secure mobile device practices.
• To ensure the security policy framework encompasses a new business model, the information security manager's first step should be to perform a gap analysis.
• The most important consideration when defining a recovery strategy in a business continuity plan (BCP) is the organizational tolerance to service interruption.
• The best approach to incident response for an organization migrating to a cloud-based solution is to revise incident response procedures to encompass the cloud environment.
• The primary basis for a severity hierarchy for information security incident classification should be the adverse effects on the business.
• Spoofing should be prevented because it may be used to gain illegal entry to a secure system by faking the sender's address.
• Spoofing is a technique that involves impersonating someone or something else to deceive or manipulate the recipient or target, and can be applied to various communication channels, such as emails, websites, phone calls, IP addresses, or DNS servers.

Information Security Management Summary

• Patch management is the best security process to prevent the exploitation of system vulnerabilities.
• Current documentation of security processes is the best support for information security management in the event of organizational changes in security personnel.
• Evaluations of the adequacy of existing controls are most important to include in a post-incident review following a data breach.
• The business continuity coordinator is responsible for determining the initial recovery time objective (RTO) in a business impact analysis (BIA).
• Initiating incident response is the first action an information security manager should take when an employee reports the loss of a personal mobile device containing corporate information.
• Providing training on secure development practices to programmers is the best way to ensure that security is integrated during application development.
• Requiring disaster recovery documentation to be stored with all key decision makers is the best way to ensure the plan can be carried out in an emergency.
• Requiring staff to participate in information security awareness training is the most effective way to help staff members understand their responsibilities for information security.
• Reviewing controls listed in the vendor contract is the most helpful approach for properly scoping the security assessment of an existing vendor.
• Storing disaster recovery documentation in a public cloud is not the best way to ensure the plan can be carried out in an emergency.
• Maintaining an outsourced contact center in another country is not the best way to ensure the plan can be carried out in an emergency.
• Focusing the review on the infrastructure with the highest risk is not the most helpful approach for properly scoping the security assessment of an existing vendor.

Information Security Management Summary

• Eradication is a critical phase in incident response, involving the removal of threats and restoration of secure systems to prevent further damage or compromise.
• In the event of a serious vulnerability in a cloud application, the best course of action for an information security manager is to report the situation to the business owner of the application.
• The most effective indication of an information security awareness training program is an increase in the identification rate during phishing simulations.
• Process owners' input is of greatest importance in the development of an information security strategy.
• The best way to monitor for advanced persistent threats (APTs) is to search for anomalies in the environment, such as unusual network traffic or user behavior.
• When determining asset valuation, it is most important to consider the potential business loss.
• The first step in developing an information security strategy is to perform a gap analysis based on the current state.
• When developing a multi-year plan, the most important consideration for an information security manager is to ensure alignment with the plans of other business units.
• In the context of developing an information security strategy, laws and regulations provide the most useful input to determine the organization's information security strategy.
• An information security manager's best action, when believing that information has been classified inappropriately, is to refer the issue to internal audit for a recommendation.
• The MOST important consideration for an information security manager when developing a multi-year plan is to ensure alignment with the plans of other business units.
• In the context of developing an information security strategy, laws and regulations provide the most useful input to determine the organization's information security strategy.

Information Security Management Summary

• The best evidence of alignment of information security governance with corporate governance is the average return on investment (ROI) associated with security initiatives.
• Average number of security incidents across business units, mean time to resolution (MTTR) for enterprise-wide security incidents, and number of vulnerabilities identified for high-risk information assets are not good metrics for alignment with corporate governance.
• The first course of action for an information security manager, upon discovering an HVAC vendor with remote access to stores, should be to review the vendor contract.
• Reviewing the vendor contract helps to understand the contractual obligations, expectations, and identify any gaps or issues that need to be addressed or resolved.
• Conducting a penetration test of the vendor, reviewing the vendor's technical security controls, and disconnecting the real-time access are not the first course of action for the information security manager in this scenario.
• When developing a business case to justify an information security investment, the results of a risk assessment would best enable an informed decision by senior management.
• The primary benefit to an organization that maintains an information security governance framework is that business risks are managed to an acceptable level.
• Maintaining an information security governance framework prioritizes resources to maximize return on investment (ROI).
• It helps communicate information security guidelines across the enterprise.
• It also helps the organization remain compliant with regulatory requirements.
• The information security manager's first course of action should be to review the vendor contract when discovering an HVAC vendor with remote access to stores.
• Reviewing the vendor contract helps understand the contractual obligations, expectations, and identify any gaps or issues that need to be addressed or resolved.

Information Security Management Summary

• The primary basis for an information security strategy should be the organization's vision and mission, guiding security policies and practices.
• When senior management accepts the risk of noncompliance with a new regulation, the information security manager should update details within the risk register.
• Alignment of a security awareness program with the organization's business strategy should prioritize people and culture.
• An organization replacing desktop computers with tablets for shift-based staff should conduct a mobile device risk assessment to mitigate the increased risk of theft.
• Key risk indicators (KRIs) provide early warnings of potential exposure to risk, and the criticality of information helps prioritize risks.
• The best course of action for the information security manager to support leveraging social network platforms is to assess the security risk associated with their use.
• Security risk assessment involves identifying, analyzing, and evaluating potential threats and vulnerabilities to information assets.
• Establishing processes to publish content on social networks should be performed after assessing security risk and implementing necessary controls.
• Conducting vulnerability assessments on social network platforms may not be feasible or effective due to lack of control over infrastructure and configuration.
• Developing security controls for the use of social networks should be based on the results of security risk assessment and aligned with the organization's risk appetite and tolerance.
• Information security manager should report the decision to the compliance officer, update details within the risk register, reassess the organization's risk tolerance, and assess the impact of the regulation.
• It is essential to ensure information security is aligned with the organization's strategy to prioritize business goals and protect critical assets.

Information Security Program, Level of Protection, Strategy Alignment, and Risk Management

• Delivering an information security awareness campaign is the best approach to obtain support for a new organization-wide information security program.
• The most important factor when deciding the level of protection for an information asset is the impact to the business function.
• The best indication of information security strategy alignment with the organization's objectives is the number of business objectives directly supported by information security initiatives.
• Threat analysis is the best analysis to identify the external influences to an organization's information security.
• The most important detail to capture in an organization's risk register is the risk ownership.
• The most important factor to obtain senior leadership support when presenting an information security strategy is that the strategy aligns with management's acceptable level of risk.
• An organization planning to leverage popular social network platforms to promote its products and services should conduct a risk assessment and implement appropriate controls to manage the associated risks.
• When obtaining support for an information security program, it is crucial to ensure that all stakeholders understand the importance of information security and the associated risks.
• The level of protection for an information asset should be determined based on its importance to the organization's operations and its impact on the organization's overall security posture.
• It is important to capture risk ownership in the risk register to ensure that risks are actively managed and that responsible parties are held accountable.
• The information security strategy should align with management's acceptable level of risk to obtain senior leadership support.
• The external influences to an organization's information security can be identified through a threat analysis process.

Information Security Management Summary

• Service Level Agreement (SLA) defines expectations and obligations between a service provider and consumer, including availability, performance, and security.
• To obtain senior management support for an information security governance program, it's best to demonstrate the program's value to the organization.
• Before conducting full-functional continuity testing, an information security manager should verify that teams and individuals responsible for recovery have been identified and trained on their roles and responsibilities.
• When an organization plans to utilize Software as a Service (SaaS) and is in the process of selecting a vendor, the information security manager should review independent security assessment reports for each vendor first.
• The primary objective of performing a post-incident review is to identify the root cause of the incident, which is used to develop and implement corrective actions to prevent similar incidents from occurring in the future.
• The most critical aspect when creating an incident response plan is identifying what constitutes an incident.
• To mitigate the risk of external brute force attacks on critical systems, the most effective way is to implement multi-factor authentication.
• Updating the disaster recovery plan (DRP) periodically has the greatest positive impact on the ability to execute the plan, as it ensures the plan reflects the current environment and addresses potential risks or issues before an emergency arises.

Information Security Management Summary

• Mitigation involves taking actions to lessen the negative effects of a risk, such as implementing security controls, policies, or procedures.
• A firewall is a security device that monitors and filters network traffic, helping to mitigate the risk of unauthorized access, exploitation, or attack on legacy applications that cannot be patched.
• When a new vulnerability affecting key data processing systems is identified, the first step is to re-evaluate the risk associated with the vulnerability.
• A vulnerability is a weakness that can be exploited by an attacker to compromise a system or network, potentially affecting key data processing systems within an organization.
• The best way to ensure the capability to restore clean data after a ransomware attack is to maintain multiple offline backups.
• A successful information security culture is indicated when end users know how to identify and report incidents.
• When a newly introduced privacy regulation affects the business, the information security manager's first course of action should be to identify and assess the risk in the context of business objectives.
• Privileged employee access requests to production servers being approved without user actions being logged raises the greatest concern of lack of accountability.
• The greatest benefit of information asset classification is providing a basis for implementing a need-to-know policy.
• Information asset classification helps define resource ownership.
• Information asset classification supports segregation of duties.
• Information asset classification does not help determine the recovery point objective (RPO).

Information Security and Risk Management Summary

• Building a robust information security culture in an organization is primarily achieved through senior management approval of information security policies.
• When responding to a ransomware attack, the primary consideration is to ensure the business can operate to minimize disruption and impact on critical functions and services.
• The best way to embed the organization's security objectives in business operations is to implement an information security governance framework.
• When designing a disaster recovery plan, the availability of Business Impact Analysis (BIA) results is essential to prioritize system restoration.
• A buffer overflow is best described as a function being carried out with more data than it can handle, presenting a security risk.
• To protect newly acquired data assets prior to integration, the best approach is to perform a risk assessment.
• When developing an asset classification program, creating an inventory should be completed first.
• In an organization where the main product is a customer-facing SaaS application, the data owner is primarily accountable for addressing major security vulnerabilities identified at the primary cloud provider.
• Management decision on asset value is the most important requirement for a successful security program.
• To achieve compliance with new global regulations related to the protection of personal information, determining the current and desired state of controls is the best way.
• Asset classification primarily determines the level of protection required for assets.
• For the effective implementation of an information security governance program, it is most important that the program goals are communicated and understood by the organization.

Information Security Management and Governance

• Risk tolerance and organizational objectives do not influence how information security is integrated within the business, but rather what information security aims to achieve or protect.
• The state of the organization and information security personnel are not influential in how information security is integrated within the business, but rather what the organization aspires to be or do, and who performs information security tasks or activities.
• Obtaining input from risk owners when implementing controls is important to manage the risk to an acceptable level and tailor the controls to specific risks.
• Due to changes in an organization's environment, the best course of action for an information security manager is to evaluate countermeasures to mitigate new risks.
• Approval of risk acceptance for non-compliant online collaboration service should be provided by business senior management after a risk assessment.
• In the Infrastructure as a Service (IaaS) cloud model, the cloud service buyer assumes the most security responsibility.
• The primary objective of an information security governance framework is to provide a baseline for optimizing the security profile of the organization and manage and reduce risk.
• Establishing a clear definition of a security incident in an incident response plan primarily helps in developing effective escalation and response procedures.
• The first consideration when deciding to move to a cloud-based model should be the physical location of the data.
• The first step when developing a business case for a new intrusion detection system (IDS) solution is to define the issues to be addressed.
• The Certified Information Security Manager (CISM) Study Manual provides explanations and guidance for various aspects of information security management and governance.
• The information provided is valuable for professionals seeking to understand and implement effective information security practices and technologies in their organizations.

Information Security and Disaster Recovery Planning

• Balanced scorecard is a strategic management tool linking financial, customer, internal process, and learning and growth perspectives.
• Disaster recovery plan (DRP) tasks include developing a test plan, analyzing business impact, defining response team roles, and identifying recovery time objectives (RTOs).
• Effective communication during information security incidents is best supported by predetermined service level agreements (SLAs).
• The most beneficial exercise for an incident response team at the first drill is a tabletop exercise.
• The most important criterion when deciding whether to accept residual risk is the cost of replacing the asset.
• A recovery point objective (RPO) is required in a disaster recovery plan (DRP).
• The best way for an organization to ensure that incident response teams are properly prepared is by conducting tabletop exercises appropriate for the organization.
• Obtaining senior management buy-in enables the assignment of risk and control ownership.
• Risk and control ownership refers to the assignment of specific responsibilities and accountabilities for managing risks and controls to individuals or groups within the organization.
• Obtaining senior management buy-in helps to establish the authority and accountability of the risk and control owners and provide them with necessary resources and support.
• The balanced scorecard helps organizations communicate and monitor their vision and strategy across different levels and functions.
• The balanced scorecard describes the cause-and-effect linkages between high-level perspectives of strategy and execution.

Information Security Management Exam Prep

• Merger with another organization can require a revision to the information security program due to changes in structure, size, and information systems.
• The best way to reduce the risk of security incidents from targeted email attacks is to conduct awareness training across the organization.
• Conducting awareness training helps educate and empower employees to recognize and avoid falling for targeted email attacks.
• The first step an information security manager should take to comply with new security incident response requirements is to conduct a gap analysis.
• The most effective way to prevent information security incidents is to implement a security awareness training program for employees.
• Security awareness training provides employees with the knowledge and skills to identify potential security threats and reduce the risk of information security incidents.
• The most useful source when planning a business-aligned information security program is a Business Impact Analysis (BIA).
• A BIA helps identify the security controls and measures that should be implemented to reduce the impact of disruptions to an organization's operations.
• The highest priority during an information security post-incident review should be given to evaluating the effectiveness of the incident response effort.
• Evaluating incident response effectiveness includes assessing the accuracy, timeliness, and efficiency of the response to identify areas for improvement.
• Documenting actions taken in sufficient detail, updating key risk indicators (KRIs), and evaluating the performance of incident response team members are all important components of a post-incident review.
• These insights are derived from ISACA's Certified Information Security Manager (CISM) Study Manual, Section 3.1, and various reputable sources.

Information Security Management Summary

• The best course of action when the business activity residual risk is lower than the acceptable risk level is to monitor the effectiveness of controls.
• Monthly information security reports to the board should include trend analysis of security metrics as the most important component.
• An incident response plan should include a detailed incident notification process to ensure incidents are responded to by the appropriate individuals.
• The most effective message to obtain senior management's commitment to information security management is that security supports and protects the business.
• The primary advantage of single sign-on (SSO) is that it increases the efficiency of access management.
• When a threat intelligence report indicates a large number of ransomware attacks targeting the industry, the best course of action is to assess the risk to the organization.
• Confidentiality of content when accessing an email system over the Internet can be ensured through digital encryption.
• Reevaluation of risk is most critical when there is a change in the threat landscape.
• The most important consideration of business continuity management should be ensuring human safety.
• Relationships between critical systems are best understood by performing a business impact analysis (BIA).
• When a soon-to-be deployed online application will increase risk beyond acceptable levels, the best course of action for the information security manager is to present a business case for additional controls to senior management.
• When a new information security manager is developing an information security strategy for a non-regulated organization, reviewing management's business goals and objectives would be most helpful.