Isaca CISM Practice Test - Questions Answers, Page 46

A business impact analysis (BIA) is a process that helps identify and evaluate the potential effects of disruptions or incidents on the organization's mission, objectives, and operations.A BIA should be periodically executed to verify the effectiveness of the controls that are implemented to prevent, mitigate, or recover from such disruptions or incidents12.

According to the CISM Manual, a BIA should be performed at least annually for critical systems and processes, and more frequently for non-critical ones3.A BIA should also be updated whenever there are significant changes in the organization's environment, such as new regulations, technologies, business models, or stakeholder expectations3. A BIA should not be used to validate vulnerabilities on environmental changes (A), analyze the importance of assets (B), or check compliance with regulations , as these are not the primary purposes of a BIA.

According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.1, Information owners are responsible for developing an information classification framework based on business needs1.They are also responsible for defining and maintaining the classification scheme, policies, and procedures for their information assets1. The CISM Review Manual (Digital Version) also states that information owners should collaborate with other stakeholders, such as information security managers, information security steering committees, senior management, and legal counsel, to ensure that the classification framework is aligned with the organization's objectives and complies with applicable laws and regulations1. The CISM Exam Content Outline also covers the topic of information classification frameworks in Domain 3 --- Information Security Program Development and Management (27% exam weight)2. The subtopics include: 3.2.1 Information Classification Frameworks 3.2.2 Information Classification Policies 3.2.3 Information Classification Procedures 3.2.4 Information Classification Training I hope this answer helps you prepare for your CISM exam.

Change management is the process of planning, implementing, and monitoring changes to information systems in a controlled and coordinated manner. Change management proactively minimizes the likelihood of disruption, unauthorized alterations, and errors by ensuring that changes are aligned with the organization's objectives, policies, and procedures.Change management also involves identifying and mitigating the risks associated with changes, as well as communicating and documenting the changes to all relevant stakeholders12.

Reference=1: CISM Review Manual (Digital Version), page 2712: CISM Review Manual (Print Version), page 271

The corporate culture of an organization is the set of values, beliefs, norms, and behaviors that shape how the organization operates and interacts with its stakeholders. The corporate culture can have a significant impact on an organization's information security governance mode, which is the way the organization establishes, implements, monitors, and evaluates its information security policies, standards, and objectives. A strong information security governance mode requires a supportive corporate culture that fosters a shared vision, commitment, and accountability for information security among all levels of the organization.A supportive corporate culture can also help to overcome resistance to change, promote collaboration and communication, encourage innovation and learning, and enhance trust and confidence in information security12.Reference=

CISM Review Manual (Digital Version), Chapter 1: Information Security Governance

CISM Review Manual (Print Version), Chapter 1: Information Security Governance

Comprehensive and Detailed Explanation: Employee accountability is the degree to which employees are responsible for their actions and outcomes related to information security. It reflects the extent to which employees understand their roles and responsibilities, follow the policies and procedures, report incidents and breaches, and comply with legal and regulatory requirements. Embedding security responsibilities into job descriptions helps to clarify the expectations and obligations of employees, as well as the consequences of non-compliance or negligence. It also helps to align the security objectives with the business goals and strategies, and to foster a culture of security awareness and responsibility.

According to the CISM Manual, updating procedures for managing security devices should be based on changes in risk technology and process, not on the organization's security framework, notification to management of the procedural changes, or review and approval of procedures by management1. These are not the most important considerations when updating procedures for managing security devices, as they do not reflect the actual impact of the changes on the security posture of the organization. The CISM Manual states that ''procedures for managing security devices should be updated whenever there are significant changes in the risk technology or process that affect the security devices'' (IR 8287A)1. For example, if a new security device is introduced or an existing one is replaced, its procedures should be updated accordingly.Similarly, if a new risk technology or process is implemented that affects how security devices are configured, monitored, or maintained, its procedures should be updated as well1. The CISM Manual also provides guidance on how to update procedures for managing security devices in a systematic and consistent manner.It recommends using a change management process that involves identifying, analyzing, approving, implementing, and evaluating changes to security device procedures1.It also suggests using a change control board (CCB) that consists of representatives from different stakeholders who review and approve changes to security device procedures before they are implemented1.

According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.2, change management is the process of identifying, assessing, approving, implementing, and monitoring changes to information systems and information security controls1.Change management is essential for ensuring that changes are aligned with the organization's business strategy and objectives, as well as complying with applicable laws and regulations1.

The CISM Review Manual (Digital Version) also states that change management should be performed in conjunction with other processes, such as configuration management, access control management, and risk management1.Configuration management is the process of identifying, documenting, controlling, and verifying the configuration items (CIs) of an information system1.Access control management is the process of granting or denying access to information systems and information assets based on predefined policies and procedures1.Risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to information systems and information assets1.

The CISM Exam Content Outline also covers the topic of change management in Domain 3 --- Information Security Program Development and Management (27% exam weight)2. The subtopics include:

3.2.2 Change Management

3.2.3 Change Control

3.2.4 Change Implementation

3.2.5 Change Monitoring

I hope this answer helps you prepare for your CISM exam. Good luck!

An organization-wide social media policy is a document that defines the rules and guidelines for using social media platforms within the organization. It covers topics such as who can use social media, what they can post, how they should protect confidential information, and what are the consequences for violating the policy.An organization-wide social media policy helps to mitigate the risk of confidential information being disclosed by employees on social media by providing a clear and consistent framework for managing social media activities12.

References=1: CISM Review Manual (Digital Version), page 2712: CISM Review Manual (Print Version), page 271

A technical vulnerability assessment is a process of identifying and evaluating the weaknesses and risks associated with a specific system, component, or network. A technical vulnerability assessment can help to determine the potential impact and likelihood of a security breach, as well as the appropriate measures to prevent or mitigate it.A technical vulnerability assessment should be performed on a personnel information management server whenever there is an increase in the number of unauthorized access attempts to the server, as this indicates that the server may have been compromised or targeted by an attacker12. Therefore, option C is the correct answer.Reference=

CISM Review Manual (Digital Version), Chapter 5: Information Security Program Management

CISM Review Manual (Print Version), Chapter 5: Information Security Program Management