Short-Answer Quiz
- What is the primary focus of CISM Domain 1, Information Security Governance, and what is its weightage on the CISM exam?
- Define Information Risk Management (IRM) as it relates to CISM Domain 2, and list three benefits of implementing effective IRM practices.
- Explain the purpose of a Security Program Charter within CISM Domain 3. What body must ratify it?
- What are the four primary risk treatment options discussed in Domain 2? Briefly describe each one.
- According to Domain 4, what are the four key areas encompassed by Incident Management?
- Describe the Business Model for Information Security (BMIS). What are its four key elements and how many dynamic interconnections does it have?
- What is the NIST Cybersecurity Framework (CSF) and what does it guide an organization to do?
- Define the difference between a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) as outlined in Domain 2.
- According to Domain 3, what is the role of an audit? Define “audit criteria” and “audit findings” as part of the audit process.
- Differentiate between Normalcy Bias and Organizational Inertia as potential obstacles to security strategy development.
——————————————————————————–
Answer Key
- The Information Security Governance domain of the CISM exam focuses on establishing and maintaining a framework to ensure that information security strategies align with business objectives and are consistent with applicable laws and regulations. This domain holds a total weightage of 17% in the exam.
- Information Risk Management (IRM) is the practice of balancing business opportunity with potential information security-related losses. The benefits of effective IRM practices include improved decision-making, increased efficiency, and reduced risk exposure.
- A Security Program Charter is a formal, written definition of the objectives, scope, and authority of a security program. Its purpose is to clearly outline the program’s mandate, and it must be ratified by executive management.
- The four risk treatment options are:
- Mitigate: Implementing controls or making changes to reduce the impact or likelihood of the risk.
- Accept: Accepting the potential risk and continuing with the activity without implementing controls.
- Transfer: Shifting the risk to another party, often through insurance or outsourcing.
- Avoid: Eliminating aspects of operations that pose unacceptable risks.
- The four key areas of the Incident Management domain are:
- Security Incident Response
- Developing Security Incident Response Plans and Playbooks
- Developing and Testing Business Continuity Plans
- Developing and Testing Disaster Recovery Plans
- The Business Model for Information Security (BMIS) is a framework that shows how everything in a security program is connected. Its four key elements are organization, people, process, and technology, and it features six dynamic interconnections.
- The NIST Cybersecurity Framework (CSF) is an outcomes-based security management and control framework developed by the U.S. National Institute of Standards and Technology (NIST). It guides an organization to understand its existing maturity levels, assess risk, identify gaps, and develop action plans for strategic improvement.
- A Recovery Time Objective (RTO) is the maximum tolerable time period from an outage to the resumption of service. A Recovery Point Objective (RPO) is the maximum amount of data loss that is acceptable during a disaster recovery scenario.
- An audit is a systematic, independent, and documented process for obtaining evidence and evaluating it to determine if audit criteria are fulfilled. “Audit criteria” are the policies, procedures, or standards used as a reference for comparison, while “audit findings” are the results of evaluating the evidence against those criteria.
- Normalcy Bias is a psychological obstacle, defined as the tendency to believe that because a disastrous event has never happened, it never will. Organizational Inertia is an institutional obstacle, defined as an organization’s resistance to change, which limits its ability to implement changes within a given timeframe.
——————————————————————————–
Essay Questions
- Discuss the relationship between Information Security Governance (Domain 1) and an Information Security Program (Domain 3). How does the governance framework influence the development, management, and measurement of the security program?
- Explain the complete Risk Management Life-Cycle Process as described in Domain 2. Detail each stage, from identification through monitoring, and describe the role of a Risk Register within this process.
- Compare and contrast at least three information security frameworks mentioned in the source material (e.g., ISO 27001, NIST, COBIT). What are their primary functions, and how would a CISO choose the most appropriate framework for their organization?
- An organization has just experienced a significant security incident. Using the key areas from Domain 4 (Incident Management), outline a comprehensive approach to handling the incident and ensuring future resilience. Your answer should incorporate Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).
- Elaborate on the importance of metrics in information security. Using terms from the provided glossaries (e.g., Security Governance Metrics, KPI, KRI, ROSI), explain how an information security manager can “tell the security management story” to executive stakeholders.
——————————————————————————–
Glossary of Key Terms
| Term | Definition |
|---|---|
| Accept | A response to a threat where no course of action is taken. |
| Acceptable Risk | The degree of risk exposure an organization is willing to tolerate relative to its risk appetite. |
| Acceptance criteria | The requirements and essential conditions that have to be achieved before a deliverable is accepted. |
| Accrual | Work done for which payment is due but has not been made. |
| Acquisition strategy | The establishment of the most appropriate means of procuring the component parts or services of a project. |
| Activity | A task, job, operation or process consuming time and possibly other resources. |
| Activity duration | The length of time that it takes to complete an activity. |
| Activity ID | A unique code identifying each activity in a project. |
| Activity network | A graphical representation of the logical relationships among the project activities. Also known as a network diagram. |
| Activity status | The state of completion of an activity. |
| Actual cost | The incurred costs that are charged to the project budget and for which payment has been made, or accrued. |
| Actual cost of work performed (ACWP) | The total costs actually incurred (paid or accrued) and recorded in accomplishing work performed during a given time period. |
| Actual dates | The dates on which activities started and finished as opposed to planned or forecast dates. |
| Actual expenditure | The costs that have been charged to the budget and for which payment has been made or accrued. |
| Actual finish | The date on which an activity was completed. |
| Actual progress | A measure of the work that has been completed in comparison with the baseline. |
| Actual start | The date on which an activity was started. |
| Agile | A set of principles and practices for delivering projects that emphasize flexibility, collaboration, and customer satisfaction. |
| APM | The Association for Project Management, a professional body for project management in the UK. |
| APM Body of Knowledge | A collection of knowledge areas and terms that define the scope of project management as a profession, published by APM. |
| Asset | Anything that has value to the organization including people, information, technology, facilities and reputation. |
| Assurance process integration | The process of aligning and integrating the security program with other assurance processes and programs in the organization, such as audit, compliance, or enterprise risk management. |
| Audit | A systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. |
| Audit criteria | The set of policies, procedures, standards, regulations, or benchmarks used as a reference against which audit evidence is compared. |
| Audit evidence | The records, statements of fact, or other information that are relevant to the audit criteria and verifiable. |
| Audit findings | The results of the evaluation of audit evidence against audit criteria, which may indicate conformity, nonconformity, or opportunities for improvement. |
| Audit follow-up | The process of verifying the implementation and effectiveness of corrective actions taken as a result of an audit. |
| Audit objectives | The specific goals for an audit, such as determining whether controls exist and whether they are effective in some specific aspect of business operations in an organization. |
| Audit report | A formal document that communicates the audit objectives, scope, criteria, findings, conclusions, and recommendations, as well as any reservations, qualifications, or limitations. |
| Audit scope | The extent and boundaries of an audit, such as the locations, departments, functions, processes, systems, or controls to be audited. |
| Baseline | A reference point or standard against which performance or progress can be assessed. |
| Benefit | A measurable improvement resulting from an outcome that is perceived as an advantage by one or more stakeholders. |
| Benefit management | The identification, definition, planning, tracking, and realization of benefits. |
| Benefit realization | The process of ensuring that the benefits of a project are achieved and sustained after the project is completed. |
| Bid | A proposal submitted by a prospective supplier in response to an invitation to tender. |
| Bid evaluation | The process of assessing and comparing bids received from prospective suppliers, based on predefined criteria, such as price, quality, and technical capability. |
| Budget | The approved estimate for a project or a work package. |
| Business Alignment | Ensuring that the information security program fits into and supports the overall organization’s mission, goals, objectives, and strategy. |
| Business Case | A documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle. |
| Business continuity plan (BCP) | A plan that defines the methods that an organization will use to continue critical business operations after a disaster has occurred. |
| Business impact analysis (BIA) | An activity used to identify the impact of various disaster scenarios and to determine the most critical processes and systems in an organization. |
| Business Model for Information Security (BMIS) | A framework with four key elements – organization, people, process, technology – and six dynamic interconnections that shows how everything is connected. |
| Business process | A set of interrelated activities that produce a specific output for a particular customer or stakeholder. |
| BYOD (Bring Your Own Device) | The policy of permitting employees to use personal mobile devices to access company data and systems. |
| Capability Maturity Model | A methodology for evaluating process maturity on a scale (e.g. initial, repeatable, defined, managed, optimizing). |
| CASB (Cloud Access Security Broker) | Solutions that secure the use of cloud services by enforcing security policies. |
| Chief Information Security Officer (CISO) | The highest-ranking security executive responsible for developing security strategies and overseeing the security program. |
| COBIT 5 | A controls and governance framework for managing an IT organization, developed by ISACA. |
| COBIT 5 for Information Security | An extension of COBIT 5 that explains each component of COBIT 5 from an information security perspective. |
| Control | A measure that is modifying risk by preventing, detecting, or correcting unwanted events or incidents. |
| Control Framework | A baseline set of information security controls, such as ISO 27001 or NIST 800-53. |
| CTI (Cyber Threat Intelligence) | Analyzed information about threats that helps organizations detect and respond to security incidents. |
| DAST (Dynamic Application Security Testing) | Testing applications while they are running to identify vulnerabilities and security flaws. |
| Digital rights management (DRM) | A type of access control technology used to control the distribution and use of electronic content. |
| DLP (Data Loss Prevention) | Solutions designed to detect potential data breaches and prevent data exfiltration. |
| Enterprise architecture (EA) | A business function and a technical model that ensures that important business needs are met by IT systems, and that IT systems are structured and consistent throughout the organization. |
| FAIR (Factor Analysis of Information Risk) | An analysis method that helps understand the factors that contribute to risk and estimate the probability and impact of losses. |
| Gap Assessment | Analysis to identify differences between the current and desired future state of the security program. |
| IDS (Intrusion Detection System) | Monitors network traffic and system activity for malicious activity and generates alerts. |
| Information security architecture | A subset or special topic within enterprise architecture that is concerned with the protective characteristics and specific components in an enterprise architecture that provide preventive or detective security function. |
| Information Security Governance | The top-down management and control of security and risk management in an organization, usually through a steering committee. |
| Information security management system (ISMS) | A set of processes used to assess risk, develop policy and controls, and manage security operations, as defined by ISO/IEC 27001. |
| Information security program | The collection of activities used to identify, communicate, and address risks in an organization. |
| Information Risk Management | The practice of balancing business opportunity with potential information security-related losses. |
| IPS (Intrusion Prevention System) | Monitors network traffic like an IDS but can also block potentially malicious traffic. |
| Key performance indicator (KPI) | A type of security metric that measures how well an activity or process is achieving its objectives or goals. |
| Key risk indicator (KRI) | A metric that provides insight into the organization’s risk position. |
| NIST Cybersecurity Framework (CSF) | An outcomes-based security management and control framework that guides an organization to understand its existing maturity levels, assess risk, identify gaps, and develop action plans for strategic improvement. |
| Normalcy Bias | The tendency to believe that because something disastrous has never happened, it never will. |
| OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) | A risk analysis approach to identify and manage information security risks. |
| Organizational Inertia | An organization’s resistance to change, limiting its capacity to implement changes within a given timeframe. |
| PAM (Privileged Access Management) | Systems that secure, control and monitor privileged access to critical assets. |
| Performance management | The process of measuring and reporting the key activities and outcomes of the security program to management and stakeholders. |
| PKI (Public Key Infrastructure) | A system for the creation, storage, distribution and revocation of digital certificates based on public-key cryptography. |
| Recovery Point Objective (RPO) | The maximum data loss that is acceptable during a disaster recovery. |
| Recovery Time Objective (RTO) | The maximum tolerable time period from an outage to service resumption. |
| Residual Risk | The risk that remains after risk treatment activities have been applied. |
| Resource management | The process of ensuring that the security program uses resources effectively and efficiently to achieve its goals and objectives. |
| Return on Security Investment (ROSI) | The value delivered by security investments, often difficult to quantify due to unpredictable losses. |
| Risk Acceptance | Accepting the potential risk and continuing with the activity. |
| Risk analysis | The activity in a risk management program where individual risks are examined and quantified in terms of probability and impact. |
| Risk Appetite | The level of risk that an organization is willing to accept in pursuit of its objectives. |
| Risk Assessment | The process of identifying, analyzing and evaluating risk. |
| Risk Avoidance | Eliminating aspects of operations that pose unacceptable risks. |
| Risk Communication | Sharing information about risk management policies, processes and decisions with stakeholders. |
| Risk Ledger | A record reflecting risk assessments, threat assessments, vulnerabilities, incidents, and other risk management activities. |
| Risk Management | The process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk costs with mission benefits. |
| Risk Mitigation | Implementing controls or making changes to reduce the impact or likelihood of the risk. |
| Risk Register | A log of risks that contains information about the risk, affected assets, probability, impact and treatment. |
| Risk Tolerance | The acceptable level of variation relative to the achievement of objectives. |
| Risk Transfer | Shifting the risk to another party, often through insurance or outsourcing. |
| Risk treatment | The process of selecting and implementing appropriate controls to modify risk to an acceptable level. |
| Roles and Responsibilities | Clear definitions of the security-related activities expected to be performed by different individuals and groups in an organization. |
| SAST (Static Application Security Testing) | Analyzing application source code, binaries or bytecode for coding and design conditions that are indicative of security vulnerabilities. |
| Security Awareness | Communications to personnel on security best practices, risks, and responsibilities. |
| Security awareness training | A type of security education that aims to increase the knowledge and change the behavior of personnel regarding security policies, procedures, and best practices. |
| Security Balanced Scorecard | A tool to measure security performance against strategic objectives in categories like financial, customer, internal, innovation. |
| Security Constraints | Practical obstacles that may impact the ability to achieve strategic security objectives as planned. |
| Security Culture | The collective set of attitudes, practices, communication, communication styles, ethics, and other behavior in an organization that influence the awareness and importance of information security. |
| Security Governance Metrics | Measurements used to gauge the effectiveness of information security governance in achieving strategic alignment, risk optimization, value delivery, etc. |
| Security incident | An event where the confidentiality, integrity, or availability of information (or an information system) has been or is in danger of being compromised. |
| Security Incident Log | A record of security events and responses used to identify trends and drive improvements. |
| Security Maturity | The level of formality, repeatability, and optimization of security practices. |
| Security Metrics | Measurements of security performance, risk, alignment to objectives, etc. to understand program effectiveness. |
| Security Operations Center (SOC) | A centralized unit that deals with security issues on an organizational and technical level. |
| Security Policy | Rules governing expected security behaviors and responsibilities throughout the organization. |
| Security program alignment | The process of ensuring that the security program supports and works in harmony with the rest of the organization and its business objectives. |
| Security program charter | A formal, written definition of the objectives, scope, and authority of a security program, ratified by executive management. |
| Security program framework | A business process model that includes essential processes and activities needed for effective security management and risk reduction. |
| Security Roadmap | A plan detailing the steps and timeline required to achieve strategic security objectives. |
| Security Standards | Detailed requirements for specific security implementation (e.g. encryption standards, access control standards). |
| Security Steering Committee | A group of stakeholders who provide strategic direction and oversight for information security governance activities. |
| Security Strategy | A plan to achieve defined security objectives to improve the organization’s security posture and reduce risk. |
| Shadow IT | Hardware, software or services within an enterprise that are not formally approved, provisioned or controlled by the organization’s IT department. |
| SIEM (Security Information and Event Management) | Software that aggregates and analyzes log data from across an organization’s infrastructure. |
| Strengths Weaknesses Opportunities Threats (SWOT) Analysis | Introspective analysis of internal strengths/weaknesses and external opportunities/threats. |
| Technical Debt | Problems in information systems stemming from poor design lacking architectural principles. |
| Third-Party Risk | The process of assessing and managing risks associated with vendors and other external service providers. |
| Threat | An event that could negatively impact an asset. |
| Threat Assessment | A process to identify relevant threats to the organization. |
| UBA (User Behavior Analytics) | Solutions that apply analytics and machine learning to detect insider threats, account compromise, and risky user activity. |
| UTM (Unified Threat Management) | An integrated security solution that includes functions like firewall, anti-malware, IDS/IPS and more in one appliance. |
| Value delivery | The process of ensuring that the security program delivers benefits to the organization, such as risk reduction, cost savings, or business enablement. |
| Vulnerability | A weakness that could be exploited by a threat to harm an asset. |
| Vulnerability Assessment | A review to identify weaknesses in systems that could be exploited. |