Upgrade to remove ads
CISM Domain 1
Terms in this set (51)
Necessary attribute of an effective information security governance framework
- An organizational structure with minimal conflicts of interest, with sufficient resources and defined responsibilities
- Organizational procedures and guidelines must be aligned with policies.
- The security strategy must be aligned with business objectives
- The security policy addresses multiple facets of security
___ is ultimately responsible for information security.
Governance, risk and compliance (GRC)
an effort to integrate assurance activities across an organization to achieve greater efficiency and effectiveness.
Information security exists to ____
minimize business disruptions and support the achievement of organizational objectives
Important consideration when developing an information security strategy:
effectiveness of risk management
Secondary considerations when developing an information security strategy:
- Resources required to implement the strategy
- Legal and regulatory requirements must be considered in the strategy to the extent management determines the appropriate level of compliance
- Resources available to implement the program - not main consideration
MOST influence how the information security program will be designed and implemented:
generally influences risk appetite and risk tolerance, which in turn have significant influence over how an information security program should be designed and implemented.
Organizations classify data according to
their value and exposure
Acceptable levels of information security risk should be determined by:
Steering Committee / Senior management
The MOST basic requirement for an information security governance program is to:
be aligned with the corporate business strategy
A systems approach for developing information security includes _____
the understanding that the whole is more than the sum of its parts and changes in any one part affect the rest
Policies should reflect ______
the intent and direction of senior management
Business impact analysis
identifies the impact from the loss of systems or organization functions
Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary.
establish the allowable operational boundaries for people, processes and technology.
define management's security goals and expectations for an organization. These are defined in more specific terms within standards and procedures.
Information security policy development should PRIMARILY be based on:
anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm
defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
defined as the potential loss to an area due to the occurrence of an adverse event
The following are not issues if no threat exists:
generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term
Information Security Manager Responsibility
- Evaluation of vendors offering security products
- Assessment of risk to the organization
- The development of standards that meet the policy intent
- Developing the security strategy
What is the MAIN risk when there is no user management representation on the information security steering committee?
Information security plans are not aligned with business requirements
Which of the following is the MOST important consideration when developing an information security strategy?
Supporting business objectives
What should be the PRIMARY basis of a road map for implementing information security governance?
The PRIMARY concern of an information security manager documenting a formal data retention policy is:
The purpose of an information security strategy is to:
express the goals of an information security program and the plan to achieve them
New regulatory and legal compliance requirements that will have an effect on information security will MOST likely come from the:
Affected departments, they are typically advised by their respective associations of new or changing regulations and the probable impacts on various organization
An information security _____ is least likely to change over time
Policies do not change as frequently as _____ and _____; however, security policies do change to adjust to _______________________, and these changes do not typically require adjustments to _________________________
procedures and standards; new regulations or laws or to address emerging technology trends; to the information security strategy.
If there is no _______ there is no need for Policy
the main reason to ensure integration of governance in all organizational functions is to ________________________
prevent gaps in the management of risk and maintain acceptable risk levels throughout the organization.
All aspects of organizational activities pose risk that is mitigated through:
effective information security governance and the development and implementation of policies, standards and procedures.
Information security governance must be integrated into all business functions and activities PRIMARILY to:
address operational risk
Compliance with security policies and standards is the responsibility of:
All organizational units
Security responsibilities of data custodians within an organization include:
ensuring that appropriate security measures are maintained and are consistent with organizational policy and standards
Data owners determine _______ for _______ so that __________.
data classification levels ; information assets; appropriate levels of controls can be provided to meet the requirements relating to confidentiality, integrity and availability
the amount of risk a business is willing to incur
the amount of deviation from the risk appetite a business considers acceptable
the amount of risk a business can absorb without ceasing to exist
Risk Capacity equation
>= risk appetite + risk tolerance
occurs when an organization decides that no action is required for a specific risk - it is willing to suffer the consequences instead of expending resources to mitigate it
- the amount of risk left over after we have mitigated a risk
- mitigation of risk means the level of risk has been decreased so that it is at or less than the risk appetite (not eliminated entirely)
Risk Analysis Process
1) examine all risk sources identified earlier
2) determine the exposure to potential threats each risk has, and the effect on likelihood
3) determine the consequences if an attack happens
4) determine the likelihood that those consequences will occur and the factors that affect the likelihood
5) identify all existing controls that help mitigate the risk
The basis for developing relevant security policies is (1)____ prioritized by (2)_____. The strictest policies apply to the areas of (3)_____
(1) addressing viable threats to the organization
(2) the likelihood of occurrence and their potential impact on the business
(3) greatest business value
Driving factors for data retention:
business and regulatory requirements
The first step of establishing Information Security Governance is (1)____. (2)___ are stated in terms of (3) ______ and (4)_____. This can be accomplished through (5)_______. The (6)_____ then has the information needed to develop (7)________. This is followed by setting a series of (8)______ that, when achieved, will (9)_________.
1) Senior Management determining the outcomes it wants from the information security program
3) risk management
4) the levels of acceptable risk
5) a set of facilitated meetings with senior management and business unit leaders
6) Information Security Manager
7) a set of requirements for a security program
8) specific objectives
9) satisfy the requirements
Control objectives are determined based on:
desired state outcomes and levels of acceptable risk
road map is created to:
identify the specifics needed to achieve the objectives
THIS SET IS OFTEN IN FOLDERS WITH...
CISA Domain 2
CISA Domain 4
CISA Domain 5
OTHER SETS BY THIS CREATOR
CISA Domain 5
CISM Domain 2
CISM Essentials Section 1