The responsibility for information security governance primarily resides with the board of directors and senior management. Information security governance is a subset of the overall enterprise governance. The board of directors is required to make security an important part of governance by way of monitoring key aspects of security. Senior management holds the responsibility to ensure that security aspects are integrated with business processes.
The involvement of senior management and the steering committee in discussions and in the approval of security projects indicates that the management is committed to aspects relating to security. Generally, a steering committee consists of senior officials from different departments. The role of an information security steering committee is to provide oversight on the security environment of the organization.
It is very important for a CISM aspirant to understand the steps for establishing the governance, as we will discuss in the next section.
For effective governance, it should be established in a structured manner. A CISM aspirant should understand the following steps for establishing governance:
Let's look a bit closer at an example of information security governance in the next section.
We will now go through the key aspects from the perspective of the CISM exam, and in our next topic, we will discuss important aspects of GRC. A CISM aspirant should understand why it is important to integrate all GRC functions.
- The effectiveness of information security governance is best indicated by which of the following?
A. Security projects are discussed and approved by a steering committee.
B. Security training is mandatory for all executive-level employees.
C. A security training module is available on the intranet for all employees.
D. Patches are tested before deployment.
Answer: A. Security projects are discussed and approved by a steering committee.
Explanation: The involvement of a steering committee in the discussion and approval of security projects indicates that the management is committed to security governance. The other options are not as significant as option A.
- An information security governance model is most likely to be impacted by which of the following?
A. The number of workstations.
B. The geographical spread of business units.
C. The complexity of the organizational structure.
D. The information security budget.
Answer: C. The complexity of the organizational structure.
Explanation: The information security governance model is primarily impacted by the complexity of the organizational structure. The organizational structure includes the organization's objectives, vision and mission, hierarchy structure, leadership structure, different function units, different product lines, and other relevant factors. The other options are not as significant as option C.
- Which of the following is the first step in implementing information security governance?
A. Employee training.
B. The development of security policies.
C. The development of security architecture.
D. The availability of an incident management team.
Answer: B. The development of security policies.
Explanation: Security policies indicate the intent of the management. Based on these policies, the security architecture and various procedures are designed.
- Which of the following factors primarily drives information security governance?
A. Technology requirements.
B. Compliance requirements.
C. The business strategy.
D. Financial constraints.
Answer: C. The business strategy.
Explanation: Information security governance should support the business strategy. Security must be aligned with business objectives. The other options are not a primary driver of information security governance.
- Which of the following is the responsibility of the information security governance steering committee?
A. To manage the information security team.
B. To design content for security training.
C. To prioritize the information security projects.
D. To provide access to critical systems.
Answer: C. To prioritize the information security projects.
Explanation: One of the important responsibilities of a steering committee is to discuss, approve, and prioritize information security projects and to ensure that they are aligned with the goals and objectives of the enterprise.
- Which of the following is the first step of information security governance?
A. To design security procedures and guidelines.
B. To develop a security baseline.
C. To define the security strategy.
D. To develop security policies.
Answer: C. To define the security strategy.
Explanation: The first step is to adopt the security strategy. The next step is to develop security policies based on this strategy. The step after this is to develop security procedures and guidelines based on the security policies.
- Which of the following is the most important factor for an information security governance program?
A. To align with the organization's business strategy.
B. To be derived from a globally accepted risk management framework.
C. To be able to address regulatory compliance.
D. To promote a risk-aware culture.
Answer: A. To align with the organization's business strategy.
Explanation. The most important objective of an information security governance program is to ensure that the information security strategy is in alignment with the strategic goals and objectives of the enterprise. The other options are secondary factors.
- Which of the following is effective governance best indicated by?
A. An approved security architecture.
B. A certification from an international body.
C. Frequent audits.
D. An established risk management program.
Answer: D. An established risk management program.
Explanation: An effective and efficient risk management program is a key element of effective governance. The other options are not as significant as an established risk management program.
- Which of the following is the effectiveness of governance best ensured by?
A. The use of a bottom-up approach.
B. Initiatives by the IT department.
C. A compliance-oriented approach.
D. The use of a top-down approach.
Answer: D. The use of a top-down approach.
Explanation: In a top-down approach, policies, procedures, and goals are set by senior management, and as a result, the policies and procedures are directly aligned with the business objectives. A bottom-up approach may not directly address management priorities. Initiatives by the IT department and a compliance-oriented approach are not as significant as the use of a top-down approach.
- What is the prime responsibility of the information security manager in the implementation of security governance?
A. To design and develop the security strategy.
B. To allocate a budget for the security strategy.
C. To review and approve the security strategy.
D. To train the end users.
Answer: A. To design and develop the security strategy.
Explanation: The prime responsibility of the information security manager is to develop the security strategy based on the business objectives in coordination with the business process owner. The review and approval of the security strategy is the responsibility of the steering committee and senior management. The security manager is not directly required to train the end users. The budget allocation is the responsibility of senior management.
- What is the most important factor when developing information security governance?
A. To comply with industry benchmarks.
B. To comply with the security budget.
C. To obtain a consensus from the business functions.
D. To align with organizational goals.
Answer: D. To align with organizational goals.
Explanation: The objective of the security governance is to support the objectives of the business. The most important factor is to align with organizational objectives and goals. The other options are secondary factors.
- What is the prime objective of GRC:
A. To synchronize and align the organization's assurance functions.
B. To address the requirements of the information security policy.
C. To address the requirements of regulations.
D. To design low-cost a security strategy.
Answer: A. To synchronize and align the organization's assurance functions.
Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.
- What organizational areas are the main focus for GRC?
A. Marketing and risk management.
B. IT, finance, and legal.
C. Risk and audit.
D. Compliance and information security.
Answer: B. IT, finance, and legal.
Explanation: Though a GRC program can be applied in any function of the organization, it is mostly focused on IT, finance, and legal areas. Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on IT processes. Legal GRC focuses on the overall enterprise-level regulatory compliance. GRC is majorly focused on IT, finance, and legal processes to ensure that regulatory requirements are adhered to and risks are appropriately addressed.
- What is the most effective way to build an information security governance program?
A. To align the requirements of the business with an information security framework.
B. To understand the objectives of the business units.
C. To address regulatory requirements.
D. To arrange security training for all managers.
Answer: B. To understand the objectives of the business units.
Explanation: The information security governance program will not be effective if it is not able to address the requirements of the business units. The objective of the business units can be best understood by reviewing their processes and functions. Option A is not correct, as security requirements should be aligned with the business and not the other way round. Options C and D are not as significant as option B.
- What is the main objective of information security governance?
A. To ensure the adequate protection of information assets.
B. To provide assurance to the management about information security.
C. To support complex IT infrastructure.
D. To optimize the security strategy to support the business objectives.
Answer: D. To optimize the security strategy to support the business objectives.
Explanation: The objective of security governance is to set the direction to ensure that the business objectives are achieved. Unless the information security strategy is aligned with the business objectives, the other options will not offer any value.
- The security manager noticed inconsistencies in the system configuration. What is the most likely reason for this?
A. Documented procedures are not available.
B. Ineffective governance.
C. Inadequate training.
D. Inappropriate standards.
Answer: B. Ineffective governance.
Explanation: Governance is the process of oversight to ensure the availability of effective and efficient processes. A lack of procedures, training, and standards is a sign of ineffective governance.
- What is an information security framework best described as?
A. A framework that provides detailed processes and methods.
B. A framework that provides required outputs.
C. A framework that provides structure and guidance.
D. A framework that provides programming inputs.
Answer: C. A framework that provides structure and guidance.
Explanation: A framework is a structure intended to support the processes and methods. They provide outlines and basic structure rather than detailed processes and methods. Frameworks are generally not intended to provide programming inputs.
- What is the main reason for integrating information security governance into business activities?
A. To allow the optimum utilization of security resources.
B. To standardize the processes.
C. To support operational processes.
D. To address operational risks.
Answer: D. To address operational risks.
Explanation: The main objective of integrating the security aspect in business processes is to address operational risks. The other options may be considered secondary benefits.
- Which of the following is the most important attribute of an effective information security governance framework?
A. A well-defined organizational structure with necessary resources and defined responsibilities.
B. The availability of the organization's policies and guidelines.
C. The business objectives support the information security strategy.
D. Security guidelines supporting regulatory requirements.
Answer: A. A well-defined organizational structure with necessary resources and defined responsibilities.
Explanation: The most important attribute is a well-defined organizational structure that minimizes any conflicts of interest. This ensures better governance. Options B and D are important aspects, but option A is more critical. Option C is not correct, as the security strategy supports the business objectives, and not the other way round.
- What is the most effective method to use to develop an information security program?
A. A standard.
B. A framework.
C. A process.
D. A model.
Answer: B. A framework.
Explanation: A framework is the most suitable method for developing an information security program as they are more flexible in adoption. Some of the common frameworks include ISO 27001 and COBIT. Standards, processes, and models are not as flexible as frameworks.
United States
Great Britain
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Singapore
Hungary
Ukraine
Luxembourg
Estonia
Lithuania
South Korea
Turkey
Switzerland
Colombia
Taiwan
Chile
Norway
Ecuador
Indonesia
New Zealand
Cyprus
Denmark
Finland
Poland
Malta
Czechia
Austria
Sweden
Italy
Egypt
Belgium
Portugal
Slovenia
Ireland
Romania
Greece
Argentina
Netherlands
Bulgaria
Latvia
South Africa
Malaysia
Japan
Slovakia
Philippines
Mexico
Thailand
Filter
