- (Topic 3)
An organization has implemented a new customer relationship management (CRM) system. Who should be responsible for enforcing authorized and controlled access to the CRM data?

1. A. The information security manager
2. B. The data custodian
3. C. Internal IT audit
4. D. The data owner

Correct Answer: B
The data custodian is the person or role who is responsible for enforcing authorized and controlled access to the CRM data, according to the security policies and standards defined by the data owner. The data custodian implements and maintains the technical and operational controls, such as authentication, authorization, encryption, backup, and recovery, to protect the data from unauthorized access, modification, disclosure, or destruction. The data custodian also monitors and reports on the data access activities and incidents.
References = Setting Up Access Controls and Permissions in Your CRM, Accountability for Information Security Roles and Responsibilities, Part 1, How to Meet the Shared Responsibility Model with CIS

- (Topic 3)
Which of the following is the BEST way to determine the gap between the present and desired state of an information security program?

1. A. Perform a risk analysis for critical applications.
2. B. Determine whether critical success factors (CSFs) have been defined.
3. C. Conduct a capability maturity model evaluation.
4. D. Review and update current operational procedures.

Correct Answer: C
A capability maturity model evaluation is the best way to determine the gap between the present and desired state of an information security program because it provides a systematic and structured approach to assess the current level of maturity of the information security processes and practices, and compare them with the desired or target level of maturity that is aligned with the business objectives and requirements. A capability maturity model evaluation can also help to identify the strengths and weaknesses of the information security program, prioritize the improvement areas, and develop a roadmap for achieving the desired state.
References = Information Security Architecture: Gap Assessment and Prioritization, CISM Review Manual 15th Edition

- (Topic 1)
Which of the following should be the MOST important consideration when establishing information security policies for an organization?

1. A. Job descriptions include requirements to read security policies.
2. B. The policies are updated annually.
3. C. Senior management supports the policies.
4. D. The policies are aligned to industry best practices.

Correct Answer: C
The most important consideration when establishing information security policies for an organization is to ensure that senior management supports the policies. Senior management support is essential for the successful implementation and enforcement of information security policies, as it demonstrates the commitment and accountability of the organization’s leadership to information security. Senior management support also helps to allocate adequate resources, establish clear roles and responsibilities, and promote a security-aware culture within the organization. Without senior management support, information security policies may not be aligned with the organization’s goals and objectives, may not be communicated and disseminated effectively, and may not be followed or enforced consistently.
Job descriptions that include requirements to read security policies are a way of ensuring that employees are aware of their security obligations, but they are not the most important consideration when establishing information security policies. The policies should be relevant and applicable to the employees’ roles and functions, and should be reinforced by regular training and awareness programs.
The policies should be updated periodically to reflect the changes in the organization’s environment, risks, and requirements, but updating them annually may not be sufficient or necessary. The frequency of updating the policies should depend on the nature and impact of the changes, and should be determined by a defined policy review process.
The policies should be aligned with industry best practices, standards, and frameworks, but this is not the most important consideration when establishing information security policies. The policies should also be customized and tailored to the organization’s specific context, needs, and expectations, and should be consistent with the organization’s vision, mission, and values. References =
✑ ISACA, CISM Review Manual, 16th Edition, 2020, pages 37-38.
✑ ISACA, CISM Review Questions, Answers & Explanations Database, 12th Edition, 2020, question ID 1009.

- (Topic 1)
Which of the following will result in the MOST accurate controls assessment?

1. A. Mature change management processes
2. B. Senior management support
3. C. Well-defined security policies
4. D. Unannounced testing

Correct Answer: D
Unannounced testing is the most accurate way to assess the effectiveness of controls, as it simulates a real-world scenario and does not allow the staff to prepare or modify their behavior in advance. Mature change management processes, senior management support, and well-defined security policies are all important factors for establishing and maintaining a strong security posture, but they do not directly measure the performance of controls. References = CISM Review Manual, 16th Edition, page 149. CISM Questions, Answers & Explanations Database, question ID 1003.

- (Topic 1)
Which of the following should be the PRIMARY area of focus when mitigating security risks associated with emerging technologies?

1. A. Compatibility with legacy systems
2. B. Application of corporate hardening standards
3. C. Integration with existing access controls
4. D. Unknown vulnerabilities

Correct Answer: D
= The primary area of focus when mitigating security risks associated with emerging technologies is unknown vulnerabilities. Emerging technologies are new and complex, and often involve multiple parties, interdependencies, and uncertainties. Therefore, they may have unknown vulnerabilities that could expose the organization to threats that are difficult to predict, detect, or prevent1. Unknown vulnerabilities could also result from the lack of experience, knowledge, or best practices in implementing, operating, or securing emerging technologies2. Unknown vulnerabilities could lead to serious consequences, such as data breaches, system failures, reputational damage, legal liabilities, or regulatory sanctions3. Therefore, it is important to focus on identifying, assessing, and addressing unknown vulnerabilities when mitigating security risks associated with emerging technologies.
The other options are not as important as unknown vulnerabilities, because they are either more predictable, manageable, or specific. Compatibility with legacy systems is a technical issue that could affect the performance, functionality, or reliability of emerging technologies, but it is not a security risk per se. It could be resolved by testing, upgrading, or replacing legacy systems4. Application of corporate hardening standards is a security measure that could reduce the attack surface and improve the resilience of emerging technologies, but it is not a sufficient or comprehensive solution. It could be limited by the availability, applicability, or effectiveness of the standards. Integration with existing access controls is a security requirement that could prevent unauthorized or inappropriate access to emerging technologies, but it is not a guarantee of security. It could be challenged by the complexity, diversity, or dynamism of the access scenarios. References = 1: Performing Risk Assessments of Emerging Technologies - ISACA 2: Assessing the Risk of Emerging Technology - ISACA 3: Factors Influencing Public Risk Perception of Emerging Technologies: A … 4: CISM Review Manual 15th Edition, Chapter 3, Section 3.3 : CISM Review Manual 15th Edition, Chapter 3, Section 3.4 : CISM Review Manual 15th Edition, Chapter 3, Section 3.5