Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Certified Information Security Manager Exam Prep Guide

You're reading from   Certified Information Security Manager Exam Prep Guide Gain the confidence to pass the CISM exam using test-oriented study material

Arrow left icon
Product type Paperback
Published in Dec 2022
Publisher Packt
ISBN-13 9781804610633
Length 718 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Hemang Doshi Hemang Doshi
Author Profile Icon Hemang Doshi
Hemang Doshi
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Enterprise Governance 2. Information Security Strategy FREE CHAPTER 3. Information Risk Assessment 4. Information Risk Response 5. Information Security Program Development 6. Information Security Program Management 7. Information Security Infrastructure and Architecture 8. Information Security Monitoring Tools and Techniques 9. Incident Management Readiness 10. Incident Management Operations 11. Answers to Practice Questions

Legal, Regulatory, and Contractual Requirements

An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization.

Processes should be in place to scan all new regulations and determine their applicability to the organization.

The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address any new regulations. If not, further controls should be implemented to address the new regulations.

Departments affected by any new regulations are in the best position to determine the impact of new regulatory requirements on their processes, as well as the best ways to address them.

Key Aspects from the CISM Exam Perspective

The following are some key aspects from the exam perspective:

Question

Possible Answer

Who should determine the control processes for any new regulatory requirements?

The affected department (as they are in the best position to determine the impact of new regulatory requirements on their processes and the best way to address them)

What is the first step of an information security manager who notices a new regulation impacting one of the organization's processes?

To determine the processes and activities that may be impacted

To assess whether existing controls meet the regulations

What is the major focus of privacy law?

To protect identifiable personal data

Which factors have the greatest impact on the security strategy?

Organizational goals and objectives

Figure 1.4: Key aspects from the CISM exam perspective

Practice Question Set 3

  1. An information security steering committee has approved the implementation of a bring your own device (BYOD) policy for mobile devices. As an information security manager, what should your first step be?
    1. To ask management to stop the BYOD policy implementation, stating the associated risk
    2. To prepare a business case for the implementation of BYOD controls
    3. To make the end users aware of BYOD risks
    4. To determine the information security strategy for BYOD
  2. New regulatory requirements impacting information security will mostly come from which of the following?
    1. The chief legal officer
    2. The chief audit officer
    3. Affected departments
    4. Senior management
  3. Primarily, the requirements of an information security program are based on which of the following?
    1. The IT policy
    2. The desired outcomes
    3. The management perceptions
    4. The security strategy
  4. Which of the following should be the first step of an information security manager who notices a new regulation impacting one of the organization's processes?
    1. To pass on responsibility to the process owner for compliance
    2. To survey the industry practices
    3. To assess whether existing controls meet the regulation
    4. To update the IT security policy
  5. Privacy laws are mainly focused on which of the following?
    1. Big data analytics
    2. Corporate data
    3. Identity theft
    4. Identifiable personal data
  6. The information security manager notices a regulation that impacts the handling of sensitive data. Which of the following should they do first?
    1. Determine the processes and activities that may be impacted.
    2. Present a risk treatment option to senior management.
    3. Determine the cost of control.
    4. Discuss the possible consequences with the process owner.
  7. The information security manager should address laws and regulations in which way?
    1. To the extent that they impact the organization
    2. To meet the certification standards
    3. To address the requirements of policies
    4. To reduce the cost of compliance
  8. What is the most important consideration for organizations involved in cross-border transactions?
    1. The capability of the IT architecture
    2. The evolving data protection regulations
    3. The cost of network bandwidth
    4. The incident management process
  9. What should be the next step for the board of directors when they notice new regulations are impacting some of the organization's processes?
    1. Instruct the information security department to implement specific controls
    2. Evaluate various solutions to address the new regulations
    3. Require management to report on compliance
    4. Evaluate the cost of implementing new controls
  10. Which of the following factors is the most difficult to estimate?
    1. Vulnerabilities in the system
    2. Legal and regulatory requirements
    3. Compliance timelines
    4. The threat landscape
  11. What should the next step be for an information security manager upon noticing new regulations impacting some of the organization's processes?
    1. To identify whether the current controls are adequate
    2. To update the audit department about the new regulations
    3. To present a business case to senior management
    4. To implement the requirements of new regulations
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image