- (Topic 3)
Which of the following is MOST helpful in determining the criticality of an organization's business functions?

1. A. Disaster recovery plan (DRP)
2. B. Business impact analysis (BIA)
3. C. Business continuity plan (BCP)
4. D. Security assessment report (SAR)

Correct Answer: B
Business impact analysis (BIA) is the most helpful in determining the criticality of an organization’s business functions because it is a process of identifying and evaluating the potential effects of disruptions or interruptions to those functions. BIA helps to prioritize the recovery of the most critical functions and to estimate the resources and time needed for the recovery. Therefore, business impact analysis (BIA) is the correct answer. References:
✑ https://www.linkedin.com/pulse/business-continuity-critical-functions-tino-marquez
✑ https://www.techtarget.com/searchitchannel/feature/Business-impact-analysis-for-business-continuity-Understanding-impact-criticality

- (Topic 1)
When developing an asset classification program, which of the following steps should be completed FIRST?

1. A. Categorize each asset.
2. B. Create an inventor
3. C. &
4. D. Create a business case for a digital rights management tool.
5. E. Implement a data loss prevention (OLP) system.

Correct Answer: B
Creating an inventory is the FIRST step in developing an asset classification program because it helps to identify and list all the information systems assets of the organization that need to be protected and classified. An inventory should include the asset name, description, owner, custodian, location, type, value, and other relevant attributes. Creating an inventory also enables the establishment of the ownership and custody of the assets, which are essential for defining the roles and responsibilities for asset protection and classification12. Categorizing each asset (A) is a subsequent step in developing an asset classification program, after creating an inventory. Categorizing each asset involves assigning a security level or category to each asset based on its value, sensitivity, and criticality to the organization. The security level or category determines the protection level and controls required for each asset12. Creating a business case for a digital rights management tool © is not a step in developing an asset classification program, but rather a possible outcome or recommendation based on the asset classification results. A digital rights management tool is a type of control that can help to enforce the security policies and objectives for the classified assets, such as preventing unauthorized access, copying, or distribution of the assets3. Implementing a data loss prevention (DLP) system (D) is also not a step in developing an asset classification program, but rather a possible outcome or recommendation based on the asset
classification results. A DLP system is a type of control that can help to monitor, detect, and prevent the loss or leakage of the classified assets, such as through email, web, or removable media4. References = 1: CISM Review Manual 15th Edition, page 77-781; 2: IT Asset Valuation, Risk Assessment and Control Implementation Model - ISACA2; 3: What is Digital Rights Management? - Definition from Techopedia3; 4: What is Data Loss Prevention (DLP)? - Definition from Techopedia4

- (Topic 3)
An information security manager has identified that privileged employee access requests to production servers are approved; but user actions are not logged. Which of the following should be the GREATEST concern with this situation?

1. A. Lack of availability
2. B. Lack of accountability
3. C. Improper authorization
4. D. Inadequate authentication

Correct Answer: B
The greatest concern with the situation of privileged employee access requests to production servers being approved but not logged is the lack of accountability, which means the inability to trace or verify the actions and decisions of the privileged users. Lack of accountability can lead to security risks such as unauthorized changes, data breaches, fraud, or misuse of privileges. Logging user actions is a key component of privileged access management (PAM), which helps to monitor, detect, and prevent unauthorized privileged access to critical resources. The other options, such as lack of
availability, improper authorization, or inadequate authentication, are not directly related to the situation of not logging user actions. References:
✑ https://www.microsoft.com/en-us/security/business/security-101/what-is-privileged-
access-management-pam
✑ https://www.ekransystem.com/en/blog/privileged-user-monitoring-best-practices
✑ https://www.beyondtrust.com/resources/glossary/privileged-access-management- pam

- (Topic 3)
Which is following should be an information security manager's PRIMARY focus during the development of a critical system storing highly confidential data?

1. A. Reducing the number of vulnerabilities detected
2. B. Ensuring the amount of residual risk is acceptable
3. C. Avoiding identified system threats
4. D. Complying with regulatory requirements

Correct Answer: B
The information security manager’s primary focus during the development of a critical system storing highly confidential data should be ensuring the amount of residual risk is acceptable. Residual risk is the level of cyber risk remaining after all the security controls are accounted for, any threats have been addressed and the organization is meeting security standards. It’s the risk that slips through the cracks of the system. For a critical system storing highly confidential data, the residual risk should be as low as possible, and within the organization’s risk appetite and tolerance. The information security manager should monitor and review the residual risk throughout the system development life cycle, and ensure that it is communicated and approved by the appropriate stakeholders. The other options are not the primary focus, although they may be part of the security objectives and activities. Reducing the number of vulnerabilities detected is a desirable outcome, but it does not necessarily mean that the residual risk is acceptable, as some vulnerabilities may have a higher impact or likelihood than others. Avoiding identified system threats is a preventive measure, but it does not account for unknown or emerging threats that may pose a residual risk to the system. Complying with regulatory requirements is a mandatory obligation, but it does not guarantee that the residual risk is acceptable, as regulations may not cover all aspects of security or reflect the specific context and needs of the organization.

- (Topic 1)
An incident management team is alerted ta a suspected security event. Before classifying the suspected event as a security incident, it is MOST important for the security manager to:

1. A. notify the business process owner.
2. B. follow the business continuity plan (BCP).
3. C. conduct an incident forensic analysis.
4. D. follow the incident response plan.

Correct Answer: D
= Following the incident response plan is the most important step for the security manager before classifying the suspected event as a security incident, as it provides the guidance and procedures for the incident management team to follow in order to identify, contain, analyze, and resolve security incidents. The incident response plan should define the roles and responsibilities of the incident management team, the criteria and process for incident classification and prioritization, the communication and escalation protocols, the tools and resources for incident handling, and the post-incident review and improvement activities123. References =
✑ 1: CISM Review Manual 15th Edition, page 199-2004
✑ 2: CISM Practice Quiz, question 1011
✑ 3: Computer Security Incident Handling Guide5, page 2-3