- (Topic 3)
An organization has acquired a new system with strict maintenance instructions and schedules. Where should this information be documented?

1. A. Standards
2. B. Policies
3. C. Guidelines
4. D. Procedures

Correct Answer: D
Procedures are the detailed steps or instructions for performing specific tasks or activities. They are usually aligned with standards, policies and guidelines, but they are more specific and prescriptive. System maintenance instructions and schedules are examples of procedures that should be documented and followed to ensure the proper functioning and security of the system.
References: The CISM Review Manual 2023 defines procedures as “the lowest level in the hierarchy of documentation. They are detailed steps that a user must follow to accomplish an activity” (p. 80). The CISM Item Development Guide also provides the following explanation for this Answer “Procedures are the correct answer because they provide the specific steps to be followed to maintain the system” (p. 11).

- (Topic 1)
An organization recently outsourced the development of a mission-critical business application. Which of the following would be the BEST way to test for the existence of backdoors?

1. A. Scan the entire application using a vulnerability scanning tool.
2. B. Run the application from a high-privileged account on a test system.
3. C. Perform security code reviews on the entire application.
4. D. Monitor Internet traffic for sensitive information leakage.

Correct Answer: C
The best way to test for the existence of backdoors in a mission-critical business application that was outsourced to a third-party developer is to perform security code reviews on the entire application. A backdoor is a hidden or undocumented feature or function in a software application that allows unauthorized or remote access, control, or manipulation of the application or the system it runs on. Backdoors can be intentionally or unintentionally introduced by the developers, or maliciously inserted by the attackers, and they can pose serious security risks and threats to the organization and its data. Security code reviews are the process of examining and analyzing the source code of a software application to identify and eliminate any security vulnerabilities, flaws, or weaknesses, such as backdoors, that may compromise the functionality, performance, or integrity of the application or the system. Security code reviews can be performed manually by the security experts, or automatically by the security tools, or both, and they can be done at different stages of the software development life cycle, such as design, coding, testing, or deployment. Security code reviews can help to detect and remove any backdoors in the application before they can be exploited by the attackers, and they can also help to improve the quality, reliability, and security of the application.
References = CISM Review Manual, 16th Edition, Chapter 3: Information Security Program Development and Management, Section: Information Security Program Development, page 1581; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 87, page 812; CISM ITEM DEVELOPMENT GUIDE, page 63.

- (Topic 3)
Which of the following is BEST used to determine the maturity of an information security program?

1. A. Security budget allocation
2. B. Organizational risk appetite
3. C. Risk assessment results
4. D. Security metrics

Correct Answer: D
Security metrics are the best way to determine the maturity of an information security program because they are quantifiable indicators of the performance and effectiveness of the security controls and processes. Security metrics help to evaluate the current state of security, identify gaps and weaknesses, measure progress and improvement, and communicate the value and impact of security to stakeholders. Therefore, security metrics are the correct answer.
References:
✑ https://www.isaca.org/resources/isaca-journal/issues/2020/volume-6/key-performance-indicators-for-security-governance-part-1
✑ https://www.gartner.com/en/publications/protect-your-business-assets-with-roadmap-for-maturing-information-security

- (Topic 2)
Which of the following is the BEST approach when creating a security policy for a global organization subject to varying laws and regulations?

1. A. Incorporate policy statements derived from third-party standards and benchmarks.
2. B. Adhere to a unique corporate privacy and security standard
3. C. Establish baseline standards for all locations and add supplemental standards as required
4. D. Require that all locations comply with a generally accepted set of industry

Correct Answer: C
= Creating a security policy for a global organization subject to varying laws and regulations is a challenging task, as it requires balancing the need for consistency, compliance, and flexibility. The best approach is to establish baseline standards for all locations that reflect the organization’s overall security objectives, principles, and requirements. These standards should be aligned with the organization’s mission, vision, values, and strategy, as well as with the applicable laws and regulations of each location. The baseline standards should also be reviewed and updated periodically to ensure their relevance and effectiveness. Additionally, supplemental standards can be added as required to address specific issues or risks that may arise in different locations or situations. Supplemental standards should be based on the best practices and lessons learned from the baseline standards, as well as on the feedback and input from the stakeholders of each location. References = CISM Review Manual, 16th Edition, page 1001

- (Topic 3)
An organization's information security manager reads on social media that a recently purchased vendor product has been compromised and customer data has been posted online. What should the information security manager do FIRST?

1. A. Perform a business impact analysis (BIA).
2. B. Notify local law enforcement agencies of a breach.
3. C. Activate the incident response program.
4. D. Validate the risk to the organization.

Correct Answer: D
The first thing that the information security manager should do after reading about a vendor product compromise on social media is to validate the risk to the organization. This means verifying the source and credibility of the information, determining if the organization uses the affected product, and assessing the potential impact and likelihood of the compromise on the organization’s data and systems. Validating the risk to the organization will help the information security manager to decide on the appropriate course of action, such as activating the incident response program, notifying relevant stakeholders, or performing a BIA.
References: The CISM Review Manual 2023 states that “the information security manager is responsible for identifying and assessing the risks associated with the use of third-party products and services” and that “the information security manager should monitor and review the security performance and incidents of third-party products and services on a regular basis and take corrective actions when deviations or violations are detected” (p. 138). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this Answer: “Validating the risk to the organization is the correct answer because it is the first and most important step to take after reading about a vendor product compromise on social media, as it will help the information security manager to confirm the accuracy and relevance of the information, and to evaluate the potential consequences and probability of the compromise on the organization’s data and systems” (p. 63). Additionally, the article Defending Against Software Supply Chain Attacks from the CISA website states that “the first step in responding to a software supply chain attack is to validate the risk to the organization by verifying the source and credibility of the information, determining if the organization uses the affected software, and assessing the potential impact and likelihood of the compromise on the organization’s data and systems” (p. 2)