Isaca CISM Practice Test - Questions Answers, Page 62

Requiring the provider to follow stringent data classification procedures is the BEST way to ensure data is not co-mingled or exposed when using a cloud service provider, because it helps to define the sensitivity and confidentiality levels of the data and the corresponding security controls and access policies that should be applied. Data classification procedures can help to prevent unauthorized access, disclosure, modification, or deletion of the data, as well as to segregate the data from other customers' data.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 72: ''Data classification is the process of assigning a level of sensitivity to data that reflects its importance and the impact of its disclosure, alteration, or destruction.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 73: ''Data classification should be based on the business requirements for confidentiality, integrity, and availability of the data, and should consider the legal, regulatory, and contractual obligations of the enterprise.''

Best Practices to Manage Risks in the Cloud - ISACA: ''Commingling of data: A big concern many enterprises have with public cloud services is the commingling of data with that of the cloud provider's other customers. One of your first questions should be: ''How do you ensure that my data is not commingled with others?'' How does the cloud provider ensure that only your team has access to your data?''

Gap analysis is the MOST helpful tool for understanding where to focus efforts when developing an information security strategy for an organization, because it helps to identify the current state and the desired state of the information security governance, and the gaps between them. Gap analysis also helps to prioritize the actions and resources needed to close the gaps and achieve the information security objectives.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 36: ''Gap analysis is the process of comparing the current state and the desired state of information security governance and identifying the gaps that need to be addressed.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 37: ''Gap analysis should be performed periodically to assess the effectiveness and efficiency of the information security strategy and program and to identify the areas for improvement.''

CISM domain 1: Information security governance [Updated 2022] - Infosec Resources: ''Gap analysis: This is a comparison of the current state of security with the desired state. It helps to identify the gaps in security and prioritize the actions required to close them.''

Cost-benefit analysis of mitigating controls is the BEST way to assist in determining whether to accept residual risk of a critical security system, because it helps to compare the costs of implementing and maintaining the controls with the benefits of reducing the risk and the potential losses. Cost-benefit analysis can help to justify the investment in security controls and to optimize the level of residual risk that is acceptable for the organization.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 50: ''Cost-benefit analysis is the process of comparing the costs of risk treatment options with the benefits of risk reduction and the potential losses from risk events.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 51: ''Cost-benefit analysis can help to justify the investment in information security controls and to optimize the level of residual risk that is acceptable for the enterprise.''

CISM Domain 2: Information Risk Management (IRM) [2022 update]: ''Cost-benefit analysis: This is a comparison of the costs of implementing and maintaining security controls with the benefits of reducing risk and potential losses. It helps to justify the investment in security controls and optimize the level of residual risk.''

Strong encryption methods are the BEST control to protect customer personal information that is stored in the cloud, because they help to prevent unauthorized access, disclosure, modification, or deletion of the data by encrypting it at rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can decrypt and access the data. Encryption can help to protect the confidentiality, integrity, and availability of the data, as well as to comply with legal and regulatory requirements.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 72: ''Encryption is the process of transforming data into an unreadable format using a secret key or algorithm.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 73: ''Encryption can help to protect the confidentiality, integrity, and availability of data, as well as to comply with legal and regulatory requirements for data protection.''

Saas Data Security: Protecting Your Customers' Information In The Cloud - Fresent's Blog: ''Encryption and Data Protection: One of the most effective ways to protect sensitive data in the cloud is to encrypt it both at rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can decrypt and access the data.''

Developing a business case to replace the system is the FIRST course of action that the information security manager should take, because it helps to justify the need for a new and effective email filtering system that can prevent or reduce phishing incidents. A business case should include the problem statement, the proposed solution, the costs and benefits, the risks and assumptions, and the expected outcomes and metrics.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 42: ''A business case is a document that provides the rationale and justification for an information security investment. It should include the problem statement, the proposed solution, the costs and benefits, the risks and assumptions, and the expected outcomes and metrics.''

Email Filtering Explained: What Is It and How Does It Work: ''Email filtering is a process used to sort emails and identify unwanted messages such as spam, malware, and phishing attempts. The goal is to ensure that they don't reach the recipient's primary inbox. It is an essential security measure that helps protect users from unwanted or malicious messages.''

Cloud-based email phishing attack using machine and deep learning ...: ''This attack is used to attack your email account and hack sensitive data easily.''

Consulting with the business owner is the FIRST course of action that the information security manager should take to address the risk associated with a new third-party cloud application that will not meet organizational security requirements, because it helps to understand the business needs and expectations for using the application, and to communicate the security risks and implications. The information security manager and the business owner should work together to evaluate the trade-offs between the benefits and the risks of the application, and to determine the best course of action, such as modifying the requirements, finding an alternative solution, or accepting the risk.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 41: ''The information security manager should consult with the business owners to understand their needs and expectations for using third-party services, and to communicate the security risks and implications.''

CISM Review Manual, 16th Edition, ISACA, 2020, p. 42: ''The information security manager and the business owners should collaborate to evaluate the trade-offs between the benefits and the risks of using third-party services, and to determine the best course of action, such as modifying the requirements, finding an alternative solution, or accepting the risk.''

Best Practices to Manage Risks in the Cloud - ISACA: ''The information security manager should work with the business owner to define the security requirements for the cloud service, such as data protection, access control, incident response, and compliance.''

The PRIMARY purpose of an acceptable use policy is to protect the organization from misuse of information assets, such as data, hardware, software, and network resources, by defining the rules and expectations for the authorized and appropriate use of these assets by the users. An acceptable use policy helps to prevent or reduce the risks of security breaches, legal liabilities, reputational damage, or loss of productivity that may result from unauthorized, inappropriate, or unethical use of information assets.

Reference=

CISM Review Manual, 16th Edition, ISACA, 2020, p. 74: ''An acceptable use policy is a policy that establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use that are approved before gaining access to a network or the Internet.''

The essentials of an acceptable use policy - Infosec Resources: ''An Acceptable Use Policy (henceforward mentioned as 'AUP') is agreement between two or more parties to a computer network community, expressing in writing their intent to adhere to certain standards of behaviour with respect to the proper usage of specific hardware & software services.''

Acceptable use policy template - Workable: ''This Acceptable Use Policy sets the minimum requirements for the use of our company's IT resources, including computers, networks, devices, software, and internet. It aims to protect our company and our employees from harm and liability, and to ensure that our IT resources are used appropriately, productively, and securely.''