- (Topic 2)
A penetration test was conducted by an accredited third party Which of the following should be the information security manager's FIRST course of action?
Correct Answer:
D
- (Topic 2)
Which of the following is the PRIMARY objective of a business impact analysis (BIA)?
Correct Answer:
A
The primary objective of a business impact analysis (BIA) is to determine recovery priorities. The BIA is used to identify and analyze the potential effects of an incident on the organization, including the financial impact, operational impact, and reputational impact. The BIA also helps to identify critical resources and processes, determine recovery objectives and strategies, and develop recovery plans. Reference: Certified Information Security Manager (CISM) Study Manual, Chapter 4, Business Impact Analysis.
- (Topic 3)
A recent application security assessment identified a number of low- and medium-level vulnerabilities. Which of the following stakeholders is responsible for deciding the appropriate risk treatment option?
Correct Answer:
B
Verified Answer According to the CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.3, "The appropriate risk treatment option is decided by the chief information security officer (CISO) or the designated risk owner."1
Comprehensive and Detailed explanation The CISO is the senior executive who is responsible for overseeing and managing the information security program of an organization. The CISO has the authority and expertise to assess the risks, determine the risk appetite and tolerance levels, and select the most suitable risk treatment options for each risk. The CISO also has the accountability and responsibility for implementing, monitoring, and reporting on the risk treatment activities.
References: 1: CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.3
- (Topic 3)
Which of the following is the PRIMARY reason to assign a risk owner in an organization?
Correct Answer:
C
The primary reason to assign a risk owner in an organization is to ensure accountability for the risk and its treatment. A risk owner is a person or entity that has the authority and responsibility to manage a specific risk and to implement the appropriate risk response actions. By assigning a risk owner, the organization can ensure that the risk is monitored, reported, and controlled in accordance with the organization’s risk appetite and tolerance. References: The CISM Review Manual 2023 defines risk owner as “the person or entity with the accountability and authority to manage a risk” and states that “the risk owner is responsible for ensuring that the risk is treated in a manner consistent with the enterprise’s risk appetite and tolerance” (p. 93). The CISM Review Questions, Answers & Explanations Manual 2023 also provides the following rationale for this Answer: “To ensure accountability is the correct answer because it is the primary reason to assign a risk owner in an organization, as it ensures that the risk and its treatment are managed by a person or entity that has the authority and responsibility to do so” (p. 29). Additionally, the article Risk Ownership: The First Step of Effective Risk Management from the ISACA Journal 2019 states that “risk ownership is the first and most important step of effective risk management” and that “risk ownership ensures that there is clear accountability and responsibility for each risk and that risk owners are empowered to make risk decisions and implement risk responses” (p. 1)
- (Topic 3)
Application data integrity risk is MOST directly addressed by a design that includes:
Correct Answer:
A
Reconciliation routines are methods to verify the integrity of data by comparing the input and output of a process or a system. They can detect errors, omissions, duplications or unauthorized modifications of data. They are more directly related to data integrity than the other options, which are more concerned with data definition, logging or access control. References = CISM Review Manual, 16th Edition, Chapter 3, Section 3.4.21