CISM Exam Dumps - Certified Information Security Manager

According to the CISM Review Manual, engaging stakeholders is the most important step when developing an information security strategy, as it helps to ensure that the strategy is aligned with the business objectives, expectations, and requirements of the stakeholders. Engaging stakeholders also helps to gain their support and commitment for the implementation and maintenance of the strategy. Assigning data ownership, determining information types, and classifying information assets are possible subsequent steps, but not the most important one.

References = CISM Review Manual, 27th Edition, Chapter 2, Section 2.1.1, page 731.

The primary objective of implementing standard security configurations is to control vulnerabilities and reduce threats from changed configurations. Standard security configurations are the baseline settings and parameters that define the desired security level and functionality of information systems and devices. By implementing standard security configurations, the organization can ensure that the information systems and devices are configured in a consistent and secure manner, and that any deviations or changes from the standard are detected and corrected. This can help to prevent or mitigate potential security incidents caused by misconfigurations, unauthorized modifications, or malicious attacks.

References: The CISM Review Manual 2023 states that “the information security manager is responsible for ensuring that the security configuration of information systems is in compliance with the security policies and standards of the organization” and that “the information security manager should establish and implement standard security configurations for information systems and devices, and monitor and review the security configuration on a regular basis and take corrective actions when deviations or violations are detected” (p. 138). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: “Control vulnerabilities and reduce threats from changed configurations is the correct answer because it is the primary objective of implementing standard security configurations, as it helps to maintain the security posture and functionality of information systems and devices, and to prevent or mitigate potential security incidents caused by misconfigurations, unauthorized modifications, or malicious attacks” (p. 63). Additionally, the article Standard Security Configurations from the ISACA Journal 2017 states that “standard security configurations are the baseline settings and parameters that define the desired security level and functionality of information systems and devices” and that “standard security configurations can help to control vulnerabilities and reduce threats from changed configurations by ensuring that the information systems and devices are configured in a consistent and secure manner, and that any deviations or changes from the standard are detected and corrected” (p. 1)

A classification model is necessary to ensure consistent protection for an organization’s information assets, because it defines the criteria for assigning different levels of sensitivity and criticality to the information assets, and determines the appropriate security controls and handling procedures for each level. Data ownership, regulatory requirements, and control assessment are also important aspects of information security management, but they are not sufficient to ensure consistent protection without a classification model.

References = CISM Review Manual, 16th Edition, page 67

Corporate culture is the most important factor to consider when trying to gain organization-wide support for an information security program because it reflects the values, beliefs, and behaviors of the organization and its members. Corporate culture influences how the organization perceives, prioritizes, and responds to information security risks and issues, and how it adopts and implements information security policies and practices. By understanding and aligning with the corporate culture, the information security manager can communicate the benefits and value of the information security program, and foster a positive and collaborative security culture across the organization.

References: The CISM Review Manual 2023 states that “corporate culture is the set of shared values, beliefs, and behaviors that characterize the organization and its members” and that “corporate culture affects how the organization views and manages information security risks and issues, and how it supports and implements information security policies and practices” (p. 81). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this answer: “Corporate culture is the correct answer because it is the most important factor to consider when trying to gain organization-wide support for an information security program, as it reflects the values, beliefs, and behaviors of the organization and its members, and influences how they perceive, prioritize, and respond to information security risks and issues, and how they adopt and implement information security policies and practices” (p. 23). Additionally, the article Building a Culture of Security from the ISACA Journal 2019 states that “corporate culture is the key factor that determines the success or failure of an information security program” and that “corporate culture can be either an enabler or a barrier for information security, depending on how well it aligns with the information security objectives, values, and practices of the organization” (p. 1)

A capability maturity model evaluation is the best way to determine the gap between the present and desired state of an information security program because it provides a systematic and structured approach to assess the current level of maturity of the information security processes and practices, and compare them with the desired or target level of maturity that is aligned with the business objectives and requirements. A capability maturity model evaluation can also help to identify the strengths and weaknesses of the information security program, prioritize the improvement areas, and develop a roadmap for achieving the desired state.

References = Information Security Architecture: Gap Assessment and Prioritization, CISM Review Manual 15th Edition

 A risk register is a document that records and tracks the information security risks facing an organization, such as their sources, impacts, likelihoods, responses, and statuses. A risk register provides the most comprehensive insight into ongoing threats facing an organization, as it covers both internal and external threats, as well as their current and potential effects on the organization’s assets, processes, and objectives. A risk register also helps to prioritize and monitor the risk mitigation actions and controls, and to communicate the risk information to relevant stakeholders. Therefore, option B is the most appropriate answer.

Option A is not the best answer because a business impact analysis (BIA) is a process that identifies and evaluates the critical business functions, assets, and dependencies of an organization, and assesses their potential impact in the event of a disruption or loss. A BIA does not provide a comprehensive insight into ongoing threats facing an organization, as it focuses more on the consequences of the threats, rather than their sources, likelihoods, or responses. A BIA is mainly used to support the business continuity and disaster recovery planning, rather than the information security risk management.

Option C is not the best answer because penetration testing is a method of simulating a malicious attack on an organization’s IT systems or networks, to evaluate their security posture and identify any vulnerabilities or weaknesses that could be exploited by real attackers. Penetration testing does not provide a comprehensive insight into ongoing threats facing an organization, as it only covers a specific scope, target, and scenario, rather than the whole range of threats, sources, and impacts. Penetration testing is mainly used to validate and improve the technical security controls, rather than the information security risk management.

Option D is not the best answer because vulnerability assessment is a process of scanning and analyzing an organization’s IT systems or networks, to detect and report any flaws or gaps that could pose a security risk. Vulnerability assessment does not provide a comprehensive insight into ongoing threats facing an organization, as it only covers the technical aspects of the threats, rather than their business, legal, or regulatory implications. Vulnerability assessment is mainly used to identify and remediate the security weaknesses, rather than the information security risk management. References = CISM Review Manual 15th Edition1, pages 258-259; CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, QID 306.

A risk register provides the MOST comprehensive insight into ongoing threats facing an organization. This is because a risk register is a document that records and tracks the identified risks, their likelihood, impact, mitigation strategies, and status. A risk register helps an organization to monitor and manage the threats that could affect its objectives, assets, and operations. A risk register also helps an organization to prioritize its response efforts and allocate its resources accordingly.

Reviewing controls listed in the vendor contract is the most helpful approach for properly scoping the security assessment of an existing vendor because it helps to determine the security requirements and expectations that the vendor has agreed to meet. A vendor contract is a legal document that defines the terms and conditions of the business relationship between the organization and the vendor, including the scope, deliverables, responsibilities, and obligations of both parties. A vendor contract should also specify the security controls that the vendor must implement and maintain to protect the organization’s data and systems, such as encryption, authentication, access control, backup, monitoring, auditing, etc. Reviewing controls listed in the vendor contract helps to ensure that the security assessment covers all the relevant aspects of the vendor’s security posture, as well as to identify any gaps or discrepancies between the contract and the actual practices. Therefore, reviewing controls listed in the vendor contract is the correct answer.

References:

https://medstack.co/blog/vendor-security-assessments-understanding-the-basics/

https://www.ncsc.gov.uk/files/NCSC-Vendor-Security-Assessment.pdf

https://securityscorecard.com/blog/how-to-conduct-vendor-security-assessment