Isaca CISM Practice Test - Questions Answers, Page 61

According to the CISM Review Manual, the primary objective when establishing a new information security program is to execute the security strategy that has been defined and approved by the senior management. The security strategy provides the direction, scope, and goals for the information security program, and aligns with the business objectives and requirements. Minimizing organizational risk, optimizing resources, and facilitating operational security are possible outcomes or benefits of the information security program, but they are not the primary objective.

Reference= CISM Review Manual, 27th Edition, Chapter 3, Section 3.1.1, page 1151.

Changes to the risk landscape are the most likely events to require an organization to revisit its information security framework, because they may affect the organization's risk appetite, risk tolerance, risk profile, and risk treatment strategies. The information security framework should be aligned with the organization's business objectives and risk management approach, and should be reviewed and updated regularly to reflect the changing internal and external environment.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 35: ''The information security framework should be reviewed and updated regularly to ensure that it remains aligned with the enterprise's business objectives and risk management approach and reflects the changing internal and external environment.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 36: ''Changes in the risk landscape may require the enterprise to revisit its risk appetite, risk tolerance, risk profile, and risk treatment strategies.''

Involving functional managers in program development is the most essential element of an information security program, because they are responsible for ensuring that the information security policies, standards, and procedures are implemented and enforced within their respective business units. They also provide input and feedback on the information security requirements, risks, and controls that affect their operations and objectives.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: ''Functional managers are responsible for ensuring that the information security policies, standards, and procedures are implemented and enforced within their respective business units.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 38: ''Functional managers should be involved in the development of the information security program to provide input and feedback on the information security requirements, risks, and controls that affect their operations and objectives.''

The impact of noncompliance on the organization's risk profile is the MOST important information for the information security manager to communicate to senior management, because it helps them understand the potential consequences of not adhering to the established controls and the need for corrective actions. Noncompliance may expose the organization to increased threats, vulnerabilities, and losses, as well as legal, regulatory, and contractual liabilities.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 84: ''The information security manager should report on information security risk, including noncompliance and changes in information risk, to key stakeholders to facilitate the risk management decision-making process.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 85: ''Noncompliance with information security policies, standards, and procedures may result in increased threats, vulnerabilities, and losses, as well as legal, regulatory, and contractual liabilities for the enterprise.''

Risk assessment is the BEST input to a business case for a technical solution to address potential system vulnerabilities, because it helps to identify and prioritize the most critical risks that the solution should mitigate or reduce. Risk assessment also helps to evaluate the costs and benefits of the solution in terms of reducing the likelihood and impact of potential threats and incidents.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 47: ''Risk assessment is the process of identifying and analyzing information security risks and determining their potential impact on the enterprise's business objectives.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 48: ''Risk assessment provides input to the business case for information security investments by identifying and prioritizing the most critical risks that need to be addressed and evaluating the costs and benefits of the proposed solutions.''

Level of residual risk is the amount of risk that remains after applying risk treatment options, such as avoidance, mitigation, transfer, or acceptance. The information security manager should compare the level of residual risk with the organization's risk appetite, which is the amount of risk that the organization is willing to accept in pursuit of its objectives. The comparison will help to determine whether the risk treatment options are sufficient, excessive, or inadequate, and whether further actions are needed to align the risk level with the risk appetite.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 49: ''Residual risk is the risk that remains after risk treatment.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 43: ''Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of value.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 50: ''The information security manager should compare the residual risk with the risk appetite and determine whether the risk treatment options are sufficient, excessive, or inadequate.''

Positioning security as a business enabler is the BEST way to obtain organization-wide support for an information security program, because it helps to demonstrate the value and benefits of security to the organization's strategic objectives, performance, and reputation. By aligning security with the business goals and needs, the information security manager can gain the buy-in and commitment of senior management and other stakeholders, and foster a positive security culture across the organization.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: ''The information security manager should position information security as a business enabler that supports the achievement of the enterprise's business objectives and adds value to the enterprise.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 39: ''The information security manager should communicate the value and benefits of information security to senior management and other stakeholders to obtain their support and commitment for the information security program.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 40: ''The information security manager should promote a positive security culture within the enterprise by influencing the behavior and attitude of employees and other parties toward information security.''

Alignment with an established information security framework is the BEST way to facilitate the development of a comprehensive information security policy, because it provides a consistent and structured approach to define, implement, and maintain the policy across the organization. An information security framework is a set of best practices, standards, and guidelines that help to ensure the effectiveness, efficiency, and compliance of the information security policy.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 35: ''An information security framework is a set of best practices, standards, and guidelines that provide a consistent and structured approach to information security governance.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 36: ''The information security policy should be aligned with an established information security framework to ensure its effectiveness, efficiency, and compliance.''