Inspirational journeys

Follow the stories of academics and their research expeditions

CISM—Certified Information Security Manager - Part 26

Mary Smith

Wed, 16 Jul 2025

CISM—Certified Information Security Manager - Part 26

1. The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is theMOST critical security consideration?

A) Laws and regulations of the country of origin may not be enforceable in the foreign country.
B) A security breach notification might get delayed due to the time difference.
C) Additional network intrusion detection sensors should be installed, resulting in an additional cost.
D) The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.



2. Effective IT governance is BEST ensured by:

A) utilizing a bottom-up approach.
B) management by the IT department.
C) referring the matter to the organization's legal department.
D) utilizing a top-down approach.



3. The FIRST step to create an internal culture that focuses on information security is to:

A) implement stronger controls.
B) conduct periodic awareness training.
C) actively monitor operations.
D) gain the endorsement of executive management.



4. Which of the following is the BEST method or technique to ensure the effective implementation of an information security program?

A) Obtain the support of the board of directors.
B) Improve the content of the information security awareness program.
C) Improve the employees' knowledge of security policies.
D) Implement logical access controls to the information systems.



5. When an organization is implementing an information security governance program, its board of directors should be responsible for:

A) drafting information security policies.
B) reviewing training and awareness programs.
C) setting the strategic direction of the program.
D) auditing for compliance.



1. Right Answer: A
Explanation: A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.

2. Right Answer: D
Explanation: Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility.

3. Right Answer: D
Explanation: Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.

4. Right Answer: A
Explanation: It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (' are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program.

5. Right Answer: C
Explanation: A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.

0 Comments

Leave a comment