CISM1 (dragged) 4.pdf

Full Transcript

IT Certification Guaranteed, The Easy Way!

The greatest challenge with assessing emerging risk in an organization is the incomplete identification
of threats, as emerging risks are often new, unknown, or unfamiliar, and may not be fully understood
or assessed. Incomplete identification of threats can lead to gaps in risk analysis and management,
and expose the organization to unexpected or unprepared scenarios. The other options, such as lack
of a risk framework, ineffective security controls, or presence of known vulnerabilities, are not
specific to emerging risks, and may apply to any type of risk assessment. Reference:
https:/ /committee.iso.org/sites/tc262/home/projects/ongoing/iso-31022-guidelines-for-impl-2.html
https:/ /www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-6/emergingrisk-analysis
https:/ /projectriskcoach.com/emerging-risks/

NO.118 Which of the following would be MOST effective in gaining senior management approval of
security investments in network infrastructure?
A. Performing penetration tests against the network to demonstrate business vulnerability
B. Highlighting competitor performance regarding network best security practices
C. Demonstrating that targeted security controls tie to business objectives
D. Presenting comparable security implementation estimates from several vendors
Answer: C
Explanation:
The most effective way to gain senior management approval of security investments in network
infrastructure is by demonstrating that targeted security controls tie to business objectives.
Security investments should be tied to business objectives and should support the overall goals of the
organization. By demonstrating that the security controls will directly support the organization's
business objectives, senior management will be more likely to approve the investment.
According to the Certified Information Security Manager (CISM) Study Manual, "To gain senior
management's approval for investments in security, it is essential to show how the security controls
tie to business objectives and are in support of the overall goals of the organization." While
performing penetration tests against the network, highlighting competitor performance, and
presenting comparable security implementation estimates from vendors are all useful in presenting
the value of security investments, they are not as effective as demonstrating how the security
controls will support the organization's business objectives.
Reference:
Certified Information Security Manager (CISM) Study Manual, 15th Edition, Page 305.

NO.119 Which of the following should be the PRIMARY area of focus when mitigating security risks
associated with emerging technologies?
A. Compatibility with legacy systems
B. Application of corporate hardening standards
C. Integration with existing access controls
D. Unknown vulnerabilities
Answer: D

NO.120 Which of the following risk scenarios is MOST likely to emerge from a supply chain attack?
A. Compromise of critical assets via third-party resources
B. Unavailability of services provided by a supplier
41

IT Certification Guaranteed, The Easy Way!

C. Loss of customers due to unavailability of products
D. Unreliable delivery of hardware and software resources by a supplier
Answer: C
NO.121 Which of the following activities MUST be performed by an information security manager
for change requests?
A. Perform penetration testing on affected systems.
B. Scan IT systems for operating system vulnerabilities.
C. Review change in business requirements for information security.
D. Assess impact on information security risk.
Answer: D

NO.122 Which of the following is the BEST approach to make strategic information security
decisions?
A. Establish regular information security status reporting.
B. Establish an information security steering committee.
C. Establish business unit security working groups.
D. Establish periodic senior management meetings.
Answer: B
Explanation:
An Information Security Steering Committee is a group of stakeholders responsible for providing
governance and guidance to the organization on all matters related to information security. The
committee provides oversight and guidance on security policies, strategies, and technology
implementation. It also ensures that the organization is in compliance with relevant laws and
regulations. Additionally, it serves as a forum for discussing security-related issues and ensures that
security is taken into account when making strategic decisions.

NO.123 Which of the following BEST facilitates effective strategic alignment of security initiatives?
A. The business strategy is periodically updated
B. Procedures and standards are approved by department heads.
C. Periodic security audits are conducted by a third-party.
D. Organizational units contribute to and agree on priorities
Answer: D
Explanation:
Organizational units contribute to and agree on priorities is the best way to facilitate effective
strategic alignment of security initiatives because it ensures that the security initiatives are aligned
with the business goals and objectives, supported by relevant stakeholders, and prioritized based on
risk and value. The business strategy is periodically updated is not sufficient to facilitate effective
strategic alignment of security initiatives because it does not involve collaboration or communication
between different organizational units. Procedures and standards are approved by department heads
is not sufficient to facilitate effective strategic alignment of security initiatives because it does not
reflect the strategic direction or vision of the organization. Periodic security audits are conducted by
a third-party is not sufficient to facilitate effective strategic alignment of security initiatives because it
does not address the planning or implementation of security initiatives. Reference:
42

IT Certification Guaranteed, The Easy Way!

https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume-2/how-to-align-securityinitiatives-with-business-goals-and-objectives https:/ /www.isaca.org/resources/isacajournal/issues/2015/volume-1/how-to-measure-the-effectiveness-of-information-securitygovernance

NO.124 Which of the following is MOST important when conducting a forensic investigation?
A. Analyzing system memory
B. Documenting analysis steps
C. Capturing full system images
D. Maintaining a chain of custody
Answer: D
NO.125 Which of the following is MOST effective in preventing the introduction of vulnerabilities
that may disrupt the availability of a critical business application?
A. A patch management process
B. Version control
C. Change management controls
D. Logical access controls
Answer: A

NO.126 Which of the following should be the FIRST step to gain approval for outsourcing to address
a security gap?
A. Collect additional metrics.
B. Perform a cost-benefit analysis.
C. Submit funding request to senior management.
D. Begin due diligence on the outsourcing company.
Answer: B

NO.127 Which of the following should be the PRIMARY objective of the information security
incident response process?
A. Conducting incident triage
B. Communicating with internal and external parties
C. Minimizing negative impact to critical operations
D. Classifying incidents
Answer: C

NO.128 Which of the following BEST enables an information security manager to determine the
comprehensiveness of an organization's information security strategy?
A. Internal security audit
B. External security audit
C. Organizational risk appetite
D. Business impact analysis (BIA)
Answer: A

43

IT Certification Guaranteed, The Easy Way!

NO.129 An information security manager learns of a new standard related to an emerging
technology the organization wants to implement. Which of the following should the information
security manager recommend be done FIRST?
A. Determine whether the organization can benefit from adopting the new standard.
B. Obtain legal counsel's opinion on the standard's applicability to regulations,
C. Perform a risk assessment on the new technology.
D. Review industry specialists' analyses of the new standard.
Answer: C

NO.130 An organization permits the storage and use of its critical and sensitive information on
employee-owned smartphones. Which of the following is the BEST security control?
A. Establishing the authority to remote wipe
B. Developing security awareness training
C. Requiring the backup of the organization's data by the user
D. Monitoring how often the smartphone is used
Answer: A
Explanation:
The best security control for an organization that permits the storage and use of its critical and
sensitive information on employee-owned smartphones is establishing the authority to remote wipe.
Remote wipe is a feature that allows an authorized administrator or user to remotely erase the data
on a device in case of loss, theft, or compromise1. Remote wipe can help prevent unauthorized
access or disclosure of the organization's information on employee-owned smartphones, as well as
protect the privacy of the employee's personal dat a. Remote wipe can be implemented through
various methods, such as mobile device management (MDM) software, native device features, or
third-party applications2. However, remote wipe requires the consent and cooperation of the
employee, as well as a clear policy that defines the conditions and procedures for its use. The other
options are not the best security controls for an organization that permits the storage and use of its
critical and sensitive information on employee-owned smartphones. Developing security awareness
training is an important measure to educate employees about the security risks and responsibilities
associated with using their own smartphones for work purposes, but it does not provide a technical
or physical protection for the data on the devices3. Requiring the backup of the organization's data
by the user is a good practice to ensure data availability and recovery in case of device failure or loss,
but it does not prevent unauthorized access or disclosure of the data on the devices4. Monitoring
how often the smartphone is used is a possible way to detect abnormal or suspicious activities on the
devices, but it does not prevent or mitigate the impact of a data breach on the devices. Reference: 4:
Mobile Device Backup - NIST 3: Security Awareness Training - NIST 1: Remote Wipe - Lifewire 2: H
ow Businesses with a BYOD Policy Can Secure Employee Devices - IBM : Mobile Device Security Policy
- SANS

NO.131 Senior management has expressed concern that the organization's intrusion prevention
system (IPS) may repeatedly disrupt business operations Which of the following BEST indicates that
the information security manager has tuned the system to address this concern?
A. Increasing false negatives
B. Decreasing false negatives
C. Decreasing false positives
44

IT Certification Guaranteed, The Easy Way!

D. Increasing false positives
Answer: C
Explanation:
Decreasing false positives is the best indicator that the information security manager has tuned the
system to address senior management's concern that the organization's intrusion prevention system
(IPS) may repeatedly disrupt business operations. False positives are alerts generated by the IPS
when it mistakenly blocks legitimate traffic or activity, causing disruption or downtime. Decreasing
false positives means that the IPS has been configured to reduce such errors and minimize
unnecessary interruptions. Increasing false negatives is not a good indicator because it means that
the IPS has failed to detect or block malicious traffic or activity, increasing the risk of compromise or
damage. Decreasing false negatives is not a good indicator because it does not affect business
operations, but rather improves security detection or prevention. Increasing false positives is not a
good indicator because it means that the IPS has increased its errors and interruptions, worsening
senior management's concern. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2017/volume-6/the-value-of-penetration-testing
https:/ /www.isaca.org/resources/isaca-journal/issues/2016/volume-5/security-scanning-versuspenetration-testing

NO.132 The MAIN benefit of implementing a data loss prevention (DLP) solution is to:
A. enhance the organization's antivirus controls.
B. eliminate the risk of data loss.
C. complement the organization's detective controls.
D. reduce the need for a security awareness program.
Answer: B
NO.133 Which of the following BEST enables an organization to maintain legally admissible
evidence7
A. Documented processes around forensic records retention
B. Robust legal framework with notes of legal actions
C. Chain of custody forms with points of contact
D. Forensic personnel training that includes technical actions
Answer: C
Explanation:
Chain of custody forms with points of contact are the best way to enable an organization to maintain
legally admissible evidence because they document the sequence of control, transfer, and analysis of
the evidence, and every person who handled it, the dates and times, and the purpose for each
action1. They also ensure the authenticity and integrity of the evidence, and prevent tampering or
loss1. Documented processes around forensic records retention are not sufficient to maintain legally
admissible evidence because they do not track or verify the handling of the evidence. Robust legal
framework with notes of legal actions are not sufficient to maintain legally admissible evidence
because they do not record or validate the preservation of the evidence. Forensic personnel training
that includes technical actions are not sufficient to maintain legally admissible evidence because they
do not account or certify the custody of the evidence. Reference: 1
https:/ /www.researchgate.net/publication/326079761_Digital_Chain_of_Custody

45

IT Certification Guaranteed, The Easy Way!

NO.134 Which of the following should an information security manager do FIRST after learning
through mass media of a data breach at the organization's hosted payroll service provider?
A. Suspend the data exchange with the provider
B. Notify appropriate regulatory authorities of the breach.
C. Initiate the business continuity plan (BCP)
D. Validate the breach with the provider
Answer: D
Explanation:
The first thing an information security manager should do after learning through mass media of a
data breach at the organization's hosted payroll service provider is to validate the breach with the
provider, which means contacting the provider directly and confirming the details and scope of the
breach, such as when it occurred, what data was compromised, and what actions the provider is
taking to mitigate the impact. Validating the breach with the provider can help the information
security manager assess the situation accurately and plan the next steps accordingly. The other
options, such as suspending the data exchange, notifying regulatory authorities, or initiating the
business continuity plan, may be premature or unnecessary before validating the breach with the
provider. Reference:
https:/ /www.wired.com/story/sequoia-hr-data-breach/
https:/ /cybernews.com/news/kronos-major-hr-and-payroll-service-provider-hit-with-ransomwarewarns-of-a-long-outage/
https:/ /www.afr.com/work-and-careers/workplace/pay-in-crisis-as-major-payroll-company-hacked20211117-p599mr

NO.135 An organization is planning to outsource the execution of its disaster recovery activities.
Which of the following would be MOST important to include in the outsourcing agreement?
A. Definition of when a disaster should be declared
B. Requirements for regularly testing backups
C. Recovery time objectives (RTOs)
D. The disaster recovery communication plan
Answer: D

NO.136 To support effective risk decision making, which of the following is MOST important to have
in place?
A. Established risk domains
B. Risk reporting procedures
C. An audit committee consisting of mid-level management
D. Well-defined and approved controls
Answer: A
Explanation:
Established risk domains are important for effective risk decision making because they provide a basis
for categorizing risks and assessing their impact on the organization. Risk domains are also used to
assign risk ownership and prioritize risk management activities. Having established risk domains in
place helps ensure that risks are properly identified and addressed, and enables organizations to
make informed and effective decisions about risk. Risk reporting procedures, an audit committee

46

IT Certification Guaranteed, The Easy Way!

consisting of mid-level management, and well-defined and approved controls are all important
components of an effective risk management program, but established risk domains are the most
important for effective risk decision making.

NO.137 Which of the following is the GREATEST concern resulting from the lack of severity criteria in
incident classification?
A. Statistical reports will be incorrect.
B. The service desk will be staffed incorrectly.
C. Escalation procedures will be ineffective.
D. Timely detection of attacks will be impossible.
Answer: C
Explanation:
The greatest concern resulting from the lack of severity criteria in incident classification is that
escalation procedures will be ineffective because they rely on severity criteria to determine when
and how to escalate an incident to higher levels of authority or responsibility, and what actions or
resources are required for resolving an incident. Statistical reports will be incorrect is not a great
concern because they do not affect the incident response process directly, but rather provide
information or analysis for improvement or evaluation purposes. The service desk will be staffed
incorrectly is not a great concern because it does not affect the incident response process directly,
but rather affects the availability or efficiency of one of its components. Timely detection of attacks
will be impossible is not a great concern because it does not depend on severity criteria, but rather
on monitoring and alerting mechanisms. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2017/volume-5/incident-response-lessons-learned
https:/ /www.isaca.org/resources/isaca-journal/issues/2018/volume-3/incident-response-lessonslearned

NO.138 An organization recently outsourced the development of a mission-critical business
application. Which of the following would be the BEST way to test for the existence of backdoors?
A. Scan the entire application using a vulnerability scanning tool.
B. Run the application from a high-privileged account on a test system.
C. Perform security code reviews on the entire application.
D. Monitor Internet traffic for sensitive information leakage.
Answer: C

NO.139 Which of the following metrics provides the BEST evidence of alignment of information
security governance with corporate governance?
A. Average return on investment (ROI) associated with security initiatives
B. Average number of security incidents across business units
C. Mean time to resolution (MTTR) for enterprise-wide security incidents
D. Number of vulnerabilities identified for high-risk information assets
Answer: A
Explanation:
Average return on investment (ROI) associated with security initiatives is the best metric to provide
evidence of alignment of information security governance with corporate governance because it
demonstrates the value and benefits of security investments to the organization's strategic goals and
47

IT Certification Guaranteed, The Easy Way!

objectives. Average number of security incidents across business units is not a good metric because it
does not measure the effectiveness or efficiency of security initiatives or their alignment with
corporate governance. Mean time to resolution (MTTR) for enterprise-wide security incidents is not a
good metric because it does not measure the impact or outcome of security initiatives or their
alignment with corporate governance. Number of vulnerabilities identified for high-risk information
assets is not a good metric because it does not measure the performance or improvement of security
initiatives or their alignment with corporate governance. Reference:
https:/ /www.isaca.org/resources/isaca-journal/issues/2015/volume-6/measuring-the-value-ofinformation-security-investments https:/ /www.isaca.org/resources/isacajournal/issues/2015/volume-1/how-to-measure-the-effectiveness-of-information-securitygovernance

NO.140 A newly appointed information security manager of a retailer with multiple stores discovers
an HVAC (heating, ventilation, and air conditioning) vendor has remote access to the stores to enable
real-time monitoring and equipment diagnostics. Which of the following should be the information
security manager's FIRST course of action?
A. Conduct a penetration test of the vendor.
B. Review the vendor's technical security controls
C. Review the vendor contract
D. Disconnect the real-time access
Answer: C
Explanation:
Reviewing the vendor contract should be the information security manager's first course of action
when discovering an HVAC vendor has remote access to the stores to enable real-time monitoring
and equipment diagnostics. The vendor contract should specify the terms and conditions of the
vendor's access to the retailer's network, such as the scope, purpose, duration, frequency, and
method of access. The vendor contract should also define the roles and responsibilities of both
parties regarding security, privacy, compliance, liability, and incident response. Reviewing the vendor
contract will help the information security manager to understand the contractual obligations and
expectations of both parties, and to identify any gaps or issues that need to be addressed or
resolved1. The other options are not the first course of action for the information security manager
when discovering an HVAC vendor has remote access to the stores. Conducting a penetration test of
the vendor may be a useful way to assess the vendor's security posture and potential vulnerabilities,
but it should be done with the vendor's consent and cooperation, and after reviewing the vendor
contract2. Reviewing the vendor's technical security controls may be a necessary step to verify the
vendor's compliance with security standards and best practices, but it should be done after reviewing
the vendor contract and in accordance with the agreed-upon audit procedures3. Disconnecting the
real-time access may be a drastic measure that could disrupt the vendor's service delivery and violate
the vendor contract, unless there is a clear and imminent threat or breach that warrants such action.
Reference: 1: Vendor Access: Addressing the Security Challenge with Urgency - BeyondTrust 2:
Penetration Testing - NIST 3: Reduce Risk from Third Party Access | BeyondTrust : Third-Party Vendor
Security Risk Management & Prevention

NO.141 When developing a business case to justify an information security investment, which of the
following would BEST enable an informed decision by senior management?
A. The information security strategy
48

IT Certification Guaranteed, The Easy Way!

B. Losses due to security incidents
C. The results of a risk assessment
D. Security investment trends in the industry
Answer: C
Explanation:
The results of a risk assessment would best enable an informed decision by senior management
when developing a business case to justify an information security investment. A risk assessment will
help to identify and prioritize the threats and vulnerabilities that affect the organization's assets and
processes, as well as the potential impact and likelihood of occurrence. A risk assessment will also
provide a basis for selecting and evaluating the effectiveness of controls to mitigate the risks.
According to CISA, developing a business case for security will be based on an in-depth understanding
of organizational vulnerabilities, operational priorities, and return on investment1. The information
security strategy, losses due to security incidents, and security investment trends in the industry are
possible inputs or outputs of a risk assessment, but they are not sufficient to enable an informed
decision by senior management. Reference: 1: The Business Case for Security - CISA 2: The Business
Case for Security | CISA 3: #HowTo: Build a Business Case for Cybersecurity Investment 4: Making the
Business Case for Information Security

NO.142 What is the PRIMARY benefit to an organization that maintains an information security
governance framework?
A. Resources are prioritized to maximize return on investment (ROI)
B. Information security guidelines are communicated across the enterprise_
C. The organization remains compliant with regulatory requirements.
D. Business risks are managed to an acceptable level.
Answer: D
Explanation:
According to the Certified Information Security Manager (CISM) Study Manual, a mature information
security culture is one in which staff members regularly consider risk in their decisions. This means
that they are aware of the risks associated with their actions and take preventative steps to reduce
the likelihood of negative outcomes. Other indicators of a mature information security culture
include mandatory information security training for all staff, documented and communicated
information security policies, and regular interaction between the CISO and the board.
Maintaining an information security governance framework enables an organization to identify,
assess, and manage its information security risks. By establishing policies, procedures, and controls
that are aligned with the organization's objectives and risk tolerance, an information security
governance framework helps ensure that information security risks are managed to an acceptable
level.
According to the Certified Information Security Manager (CISM) Study Manual, "Information security
governance provides a framework for managing and controlling information security practices and
technologies at an enterprise level. Its primary objective is to manage and reduce risk through a
process of identification, assessment, and management of those risks." While the other options listed
(prioritizing resources, communicating guidelines, and remaining compliant with regulations) are also
important benefits of maintaining an information security governance framework, they are all
secondary to the primary benefit of managing business risks to an acceptable level.
Reference:
49

IT Certification Guaranteed, The Easy Way!

Certified Information Security Manager (CISM) Study Manual, 15th Edition, Pages 60-63.

NO.143 Which of the following Is MOST useful to an information security manager when conducting
a post-incident review of an attack?
A. Cost of the attack to the organization
B. Location of the attacker
C. Method of operation used by the attacker
D. Details from intrusion detection system (IDS) logs
Answer: C

NO.144 Penetration testing is MOST appropriate when a:
A. new system is about to go live.
B. new system is being designed.
C. security policy is being developed.
D. security incident has occurred,
Answer: A
NO.145 Which of the following is the PRIMARY reason to perform regular reviews of the
cybersecurity threat landscape?
A. To compare emerging trends with the existing organizational security posture
B. To communicate worst-case scenarios to senior management
C. To train information security professionals to mitigate new threats
D. To determine opportunities for expanding organizational information security
Answer: A

NO.146 Which of the following desired outcomes BEST supports a decision to invest in a new
security initiative?
A. Enhanced security monitoring and reporting
B. Reduced control complexity
C. Enhanced threat detection capability
D. Reduction of organizational risk
Answer: D

NO.147 Which of the following is the BEST approach to reduce unnecessary duplication of
compliance activities?
A. Documentation of control procedures
B. Standardization of compliance requirements
C. Automation of controls
D. Integration of assurance efforts
Answer: B

NO.148 Which of the following is the BEST way to obtain support for a new organization-wide
information security program?

50

IT Certification Guaranteed, The Easy Way!

A. Benchmark against similar industry organizations
B. Deliver an information security awareness campaign.
C. Publish an information security RACI chart.
D. Establish an information security strategy committee.
Answer: B
Explanation:
Deliver an information security awareness campaign is the BEST approach to obtain support for a
new organization-wide information security program. An information security awareness campaign is
a great way to raise awareness of the importance of information security and the impact it can have
on an organization. It helps to ensure that all stakeholders understand the importance of information
security and are aware of the risks associated with it. Additionally, an effective awareness campaign
can help to ensure that everyone in the organization is aware of the cybersecurity policies,
procedures, and best practices that must be followed.

NO.149 Which of the following will provide the MOST guidance when deciding the level of
protection for an information asset?
A. Impact on information security program
B. Cost of controls
C. Impact to business function
D. Cost to replace
Answer: C
Explanation:
When deciding the level of protection for an information asset, the most important factor to consider
is the impact to the business function. The value of the asset should be evaluated in terms of its
importance to the organization's operations and how its security posture affects the organization's
overall security posture. Additionally, the cost of implementing controls, the potential impact on the
information security program, and the cost to replace the asset should be taken into account when
determining the appropriate level of protection for the asset.

NO.150 Which of the following is the BEST indication of information security strategy alignment with
the "&
A. Percentage of information security incidents resolved within defined service level agreements
(SLAs)
B. Percentage of corporate budget allocated to information security initiatives
C. Number of business executives who have attended information security awareness sessions
D. Number of business objectives directly supported by information security initiatives
Answer: D

NO.151 Which of the following analyses will BEST identify the external influences to an
organization's information security?
A. Business impact analysis (BIA)
B. Gap analysis
C. Threat analysis
D. Vulnerability analysis
51

IT Certification Guaranteed, The Easy Way!

Answer: C
Explanation:
Threat analysis is a process that is used to identify and assess the external influences or threats that
could potentially affect an organization's information security. It is used to identify potential risks and
develop strategies to mitigate or reduce those risks. Threat analysis involves analyzing the
environment, identifying potential threats and their potential impacts, and then evaluating the
organization's current security measures and developing strategies to address any deficiencies.

NO.152 Which of the following is the MOST important detail to capture in an organization's risk
register?
A. Risk severity level
B. Risk acceptance criteria
C. Risk appetite
D. Risk ownership
Answer: D
Explanation:
Risk ownership is the most important detail to capture in an organization's risk register. Risk
ownership is the responsibility for managing a risk, including taking corrective action, and should be
assigned to a specific individual or team. It is important to note that the risk owner is not necessarily
the same as the risk acceptor, who is the individual or team who makes the final decision to accept a
risk. Capturing risk ownership in the risk register is important to ensure that risks are actively
managed and that the responsible parties are held accountable.

NO.153 Which of the following is MOST important in order to obtain senior leadership support
when presenting an information security strategy?
A. The strategy aligns with management's acceptable level of risk.
B. The strategy addresses ineffective information security controls.
C. The strategy aligns with industry benchmarks and standards.
D. The strategy addresses organizational maturity and the threat environment.
Answer: A
Explanation:
The most important factor to obtain senior leadership support when presenting an information
security strategy is that the strategy aligns with management's acceptable level of risk because it
ensures that the strategy is consistent and compatible with the organization's risk appetite and
thresholds, and reflects management's expectations and priorities for security risk management. The
strategy addresses ineffective information security controls is not a very important factor because it
does not indicate how the strategy will improve or enhance the security controls or performance. The
strategy aligns with industry benchmarks and standards is not a very important factor because it does
not indicate how the strategy will differentiate or innovate the organization's security capabilities or
practices. The strategy addresses organizational maturity and the threat environment is not a very
important factor because it does not indicate how the strategy will advance or adapt the
organization's security posture or resilience. Reference: https:/ /www.isaca.org/resources/isacajournal/issues/2016/volume-4/technical-security-standards-for-information-systems
https:/ /www.isaca.org/resources/isaca-journal/issues/2017/volume-2/how-to-align-securityinitiatives-with-business-goals-and-objectives
52

IT Certification Guaranteed, The Easy Way!

NO.154 An organization plans to leverage popular social network platforms to promote its products
and services. Which of the following is the BEST course of action for the information security
manager to support this initiative?
A. Establish processes to publish content on social networks.
B. Assess the security risk associated with the use of social networks.
C. Conduct vulnerability assessments on social network platforms.
D. Develop security controls for the use of social networks.
Answer: B
Explanation:
The best course of action for the information security manager to support the initiative of leveraging
popular social network platforms to promote the organization's products and services is to assess the
security risk associated with the use of social networks. Security risk assessment is a process of
identifying, analyzing, and evaluating the potential threats and vulnerabilities that may affect the
confidentiality, integrity, and availability of information assets and systems. By conducting a security
risk assessment, the information security manager can provide valuable input to the decision-making
process regarding the benefits and costs of using social networks, as well as the appropriate security
controls and mitigation strategies to reduce the risk to an acceptable level. The other options are not
the best course of action, although they may be part of the security risk management process.
Establishing processes to publish content on social networks is an operational task that should be
performed after assessing the security risk and implementing the necessary controls. Conducting
vulnerability assessments on social network platforms is a technical activity that may not be feasible
or effective, as the organization does not have control over the platforms' infrastructure and
configuration. Developing security controls for the use of social networks is a preventive measure
that should be based on the results of the security risk assessment and aligned with the
organization's risk appetite and tolerance

NO.155 Which of the following should be the PRIMARY basis for an information security strategy?
A. The organization's vision and mission
B. Results of a comprehensive gap analysis
C. Information security policies
D. Audit and regulatory requirements
Answer: A
Explanation:
The primary basis for an information security strategy should be the organization's vision and
mission. The organization's vision and mission should be the foundation for the security strategy, and
should inform and guide the security policies, procedures, and practices that are implemented. The
results of a comprehensive gap analysis, information security policies, and audit and regulatory
requirements should all be taken into consideration when developing the security strategy, but
should not be the primary basis.

NO.156 Senior management has just accepted the risk of noncompliance with a new regulation
What should the information security manager do NEX*P
A. Report the decision to the compliance officer
B. Update details within the risk register.
53