CISM Exam Dumps - Certified Information Security Manager

 An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus primarily on defining security requirements for the process being outsourced. Security requirements are the specifications of what needs to be done to protect the information assets from unauthorized access, use, disclosure, modification, or destruction. Security requirements should be aligned with the organization’s risk appetite and business objectives, and should cover both technical and organizational aspects of the service delivery. Security requirements should also be clear, concise, measurable, achievable, realistic, and testable. References = CISM Review Manual (Digital Version), Chapter 3: Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1161. CISM Review Manual (Print Version), Chapter 3: Information Security Risk Management, Section 3.1: Risk Identification, p. 115-1162. CISM ITEM DEVELOPMENT GUIDE, Domain 3: Information Security Program Development and Management, Task Statement 3.1, p. 193.

Security requirements for the process being outsourced are the specifications and standards that the third party must comply with to ensure the confidentiality, integrity and availability of the critical business information. They define the roles and responsi-bilities of both parties, the security controls and measures to be implemented, the se-curity objectives and expectations, the security risks and mitigation strategies, and the security monitoring and reporting mechanisms. Security requirements are essential to protect the information assets of the organization and to establish a clear and en-forceable contractual relationship with the third party.

References:

•1 Outsourcing Strategies for Information Security: Correlated Losses and Security Exter-nalities - SpringerLink

•2 What requirements must outsourcing services comply with for the European market? - CBI

•3 Outsourcing cybersecurity: What services to outsource, what to keep in house - Infosec Institute

•4 BCFSA outsourcing and information security guidelines - BLG

Conducting periodic user awareness training is the best way to mitigate accidental data loss events because it can educate the users on the causes, consequences, and prevention of data loss, and increase their awareness of the security policies and procedures of the organization. User awareness training can also help users to identify and report potential data loss incidents, and to adopt good practices such as backing up data, encrypting data, and using secure channels for data transmission and storage.

References: The article Mistakes Happen—Mitigating Unintentional Data Loss from the ISACA Journal 2018 states that “user awareness training is the most effective way to prevent unintentional data loss” and that “user awareness training should include information on the types and sources of data loss, the impact and cost of data loss, the legal and regulatory requirements for data protection, the organization’s data security policies and procedures, the roles and responsibilities of users in data security, the best practices and tools for data security, and the reporting and escalation process for data loss incidents” (p. 2)1. The Data Spill Management Guide from the Cyber.gov.au website also states that “user awareness training is an important preventative measure to reduce the likelihood of data spills” and that “user awareness training should cover topics such as data classification, data handling, data storage, data transmission, data disposal, and data spill reporting” (p. 2)

Business impact analysis (BIA) is the most helpful in determining the criticality of an organization’s business functions because it is a process of identifying and evaluating the potential effects of disruptions or interruptions to those functions. BIA helps to prioritize the recovery of the most critical functions and to estimate the resources and time needed for the recovery. Therefore, business impact analysis (BIA) is the correct answer.

References:

https://www.linkedin.com/pulse/business-continuity-critical-functions-tino-marquez

https://www.techtarget.com/searchitchannel/feature/Business-impact-analysis-for-business-continuity-Understanding-impact-criticality

= An information security manager should contact the information owner after the incident has been confirmed, as this is the point when the impact and severity of the incident can be assessed and communicated. The information owner is responsible for the business value and use of the information and should be involved in the decision making process regarding the incident response. Contacting the information owner after the incident has been mitigated or contained may be too late, as the information owner may have different priorities or expectations than the security team. Contacting the information owner after the potential incident has been logged may be premature, as the incident may turn out to be a false positive or a minor issue that does not require the information owner’s attention. References = 1: CISM Review Manual, 16th Edition by Isaca (Author), page 292.

Baseline controls are the minimum set of security requirements that apply to all information systems in an organization, regardless of their specific functions or characteristics. They are derived from the organization’s security policies, standards, and best practices, and they reflect the organization’s risk appetite and tolerance. Baseline controls provide a consistent and comprehensive foundation for the security of the information systems, and they can be tailored or supplemented by additional controls as needed for specific systems or situations. The other options are not as comprehensive as baseline controls, as they may only address certain aspects or aspects of the security requirements, or they may vary depending on the system or the context. For example, risk assessment results are an important input for defining the security requirements, but they are not the requirements themselves. Audit findings are an output of evaluating the compliance and effectiveness of the security requirements, but they are not the requirements themselves. Key risk indicators (KRIs) are metrics that measure the level of risk exposure and performance of the security requirements, but they are not the requirements themselves. References =

CISM Review Manual 15th Edition, page 113: “Baseline controls are the minimum security requirements that apply to all systems within the organization.”

CISM Review Questions, Answers & Explanations Database - 12 Month Subscription, question 478: “Baseline controls are the minimum security requirements that apply to all systems within the organization. They are derived from the organization’s security policies, standards, and best practices, and they reflect the organization’s risk appetite and tolerance.”

Performing a bit-by-bit backup of the hard disk using a write-blocking device is the first step to do when a forensic examination of a PC is required, but the PC has been switched off because it helps to create a forensically sound copy of the original evidence without altering or damaging it. A bit-by-bit backup, also known as a physical or raw image, is a complete copy of every bit on the hard disk, including the unallocated or deleted data. A write-blocking device is a hardware or software tool that prevents any write operations to the hard disk, such as updating timestamps or changing file attributes. Performing a bit-by-bit backup of the hard disk using a write-blocking device ensures the integrity and authenticity of the evidence and allows the forensic analysis to be conducted on the duplicate image rather than the original source. Therefore, performing a bit-by-bit backup of the hard disk using a write-blocking device is the correct answer.

References:

https://en.wikipedia.org/wiki/Computer_forensics

https://resources.infosecinstitute.com/topic/computer-forensics-forensic-analysis-examination-planning/

https://www.computer-forensics-recruiter.com/topics/examination_steps/