Isaca CISM Practice Test - Questions Answers, Page 47

According to the CISM Manual, the organization's risk appetite is the amount and type of risk that the organization is willing to accept in order to achieve its objectives1.The organization's risk appetite should guide the development and maintenance of an information security program, as it determines the level of security controls, resources, and activities that are needed to protect the organization's assets and operations1.

The CISM Manual states that ''the information security program should be aligned with the organization's risk appetite, which reflects its tolerance for risk and its strategic objectives'' (IR 8288A)1.The information security program should also consider other factors that influence the organization's risk appetite, such as its mission, vision, values, culture, stakeholders, regulations, standards, guidelines, and best practices1.

The CISM Manual also provides guidance on how to develop and maintain an information security program based on the organization's risk appetite.It recommends using a process that involves identifying, analyzing, evaluating, treating, monitoring, and reviewing risks that affect the organization's information assets1.It also suggests using a framework or model that supports the development of an information security program based on the organization's risk appetite (e.g., ISO/IEC 27001)1.

According to the CISM Review Manual (Digital Version), Chapter 3, Section 3.2.1, strategic alignment is the primary outcome of an information security program1.Strategic alignment means that the information security program supports and is tailored to the organization's objectives and business strategy1.It also means that the information security program is aligned with other assurance functions, such as physical, human resources, quality, and IT1.

The CISM Review Manual (Digital Version) also states that strategic alignment is essential for achieving a competitive advantage, enhancing customer trust, reducing legal and regulatory risks, and improving organizational performance1.Strategic alignment requires effective communication and collaboration among all stakeholders, including senior management, information owners, information security managers, information security steering committees, and external partners1.

The CISM Exam Content Outline also covers the topic of strategic alignment in Domain 3 --- Information Security Program Development and Management (33% exam weight)2. The subtopics include:

3.2.1 Information Security Strategy

3.2.2 Information Security Governance

3.2.3 Information Security Risk Management

3.2.4 Information Security Compliance

I hope this answer helps you prepare for your CISM exam. Good luck!

= A new regulatory requirement affecting an organization's information security program is released. The information security manager's first course of action should be to notify the legal department, as they are responsible for ensuring compliance with the relevant laws and regulations.The legal department can advise the information security manager on how to interpret and implement the new requirement, as well as what are the potential implications and risks for the organization12.

References=1: CISM Review Manual (Digital Version), page 2712: CISM Review Manual (Print Version), page 271

Learn more:

1. isaca.org2. csoonline.com

Recovery time objectives (RTOs) are the maximum acceptable time that an organization can be offline or unavailable after a disruption. RTOs are important to maintain integration among the incident response plan, business continuity plan (BCP), and disaster recovery plan (DRP) because they help align the recovery goals and strategies of each plan. By defining clear and realistic RTOs, an organization can ensure that its IT infrastructure and systems are restored as quickly as possible after a disaster, minimizing the impact on business operations and customer satisfaction. Reference= CISM Manual, Chapter 6: Incident Response Planning, Section 6.2: Recovery Time Objectives (RTOs), page 971 1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

According to the CISM Manual, the information security manager should first assess the risk to business operations before taking any other action. This will help to prioritize the issues and determine the appropriate response.Performing a vulnerability assessment, a gap analysis, or creating a security exception are possible actions, but they should be based on the risk assessment results.Reference= CISM Manual, 5th Edition, page 1211; CISM Practice Quiz, question 32

An information security program is best positioned for success when it is closely aligned with the information security strategy, which defines the organization's vision, mission, goals, objectives, and risk appetite for information security. The information security strategy provides the direction and guidance for developing and implementing the information security program, ensuring that it supports the organization's business processes and objectives. The information security strategy also helps to establish the scope, boundaries, roles, responsibilities, and resources for the information security program.

Reference= CISM Manual, Chapter 3: Information Security Program Development (ISPD), Section 3.1: Information Security Strategy1

1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

This is the most urgent and effective action to prevent further damage or compromise of the organization's network and data. The other options are less important or irrelevant in this situation.

According toHow to identify suspicious insider activity using Active Directory, one of the steps to detect and respond to suspicious activity is to isolate the affected device from the network.This can be done by disabling the network adapter, unplugging the network cable, or blocking the device's IP address on the firewall1. This will prevent the device from communicating with any malicious actors or spreading malware to other devices on the network.

`

The first thing an information security manager should do after identifying suspicious activity on a PC that is not in the organization's IT asset inventory is to determine why the PC is not included in the inventory. This will help to identify the source and scope of the threat, as well as the potential impact and risk to the organization. The IT asset inventory is a list of all the hardware, software, data, and other resources that are owned, controlled, or used by an organization. It helps to establish accountability, visibility, and control over the IT assets, as well as to support security policies and procedures.

If a PC is not included in the inventory, it may indicate that it has been compromised by an unauthorized user or entity, or that it has been moved or transferred without proper authorization. It may also indicate that there are gaps or errors in the inventory management process, such as missing records, duplicate entries, outdated information, or inaccurate classification. These issues can pose significant challenges for information security management, such as:

Lack of visibility into the IT environment and assets

Difficulty in detecting and responding to incidents

Increased risk of data breaches and cyberattacks

Non-compliance with regulatory requirements and standards

Reduced trust and confidence among stakeholders

Therefore, an information security manager should take immediate steps to investigate why the PC is not included in the inventory and take appropriate actions to remediate the situation.

Reference= CISM Manual, Chapter 6: Incident Response Planning (IRP), Section 6.2: Inventory Management1

1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles

An intrusion detection system (IDS) is a software or hardware device that monitors network traffic and detects unauthorized or malicious activities, such as attacks, intrusions, or breaches. An IDS can provide valuable evidence for an information security team to investigate an alleged breach of an organization's network, as it can capture and analyze the network traffic in real time or after the fact. An IDS can help to identify the source, type, scope, and impact of the breach, as well as to generate alerts and reports for further investigation.

File integrity monitoring software (FIM), security information and event management (SIEM) tool, and antivirus software are not single sources of evidence for an information security team to review. FIM software monitors files and directories on a network or system and detects changes or modifications that may indicate unauthorized access or tampering. SIEM tool collects and correlates data from various sources, such as logs, events, alerts, incidents, and threats, and provides a unified view of the security posture of an organization. Antivirus software scans files and programs on a network or system and detects malware infections that may compromise the security or functionality of the system.

However, these tools are not sufficient by themselves to provide conclusive evidence for an information security team to investigate an alleged breach of an organization's network. They may provide some clues or indicators of compromise (IOCs), but they may also generate false positives or negatives due to various factors, such as configuration errors, user behavior, benign activities, or evasion techniques. Therefore, an information security team should use multiple sources of evidence from different tools and methods to verify the validity and reliability of the findings.

Reference= CISM Manual, Chapter 6: Incident Response Planning (IRP), Section 6.2: Evidence Collection1

1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles