During which of the following development phases is it MOST challenging to implement security controls?
The development phase is the stage of the system development life cycle (SDLC) where the system requirements, design, architecture, and implementation are performed. The development phase is most challenging to implement security controls because it involves complex and dynamic processes that may not be well understood or documented. Security controls are essential for ensuring the confidentiality, integrity, and availability of the system and its data, as well as for complying with regulatory and contractual obligations. However, security controls may also introduce additional costs, risks, and constraints to the development process, such as:
Increased complexity and overhead of testing, verification, validation, and maintenance
Reduced flexibility and agility of changing requirements or design
Increased dependency on external vendors or third parties for security services or products
Increased vulnerability to errors, defects, or vulnerabilities in the code or configuration
Increased difficulty in measuring and reporting on security performance or effectiveness
Therefore, implementing security controls in the development phase requires careful planning, coordination, communication, and collaboration among all stakeholders involved in the SDLC. It also requires a clear understanding of the security objectives, scope, criteria, standards, policies, procedures, roles, responsibilities, and resources for the system. Moreover, it requires a proactive approach to identifying and mitigating potential threats or risks that may affect the security of the system.
Reference= CISM Manual1, Chapter 3: Information Security Program Development (ISPD), Section 3.1: System Development Life Cycle (SDLC)2
1: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles2: https://store.isaca.org/s/store#/store/browse/cat/a2D4w00000Ac6NNEAZ/tiles
A recent application security assessment identified a number of low- and medium-level vulnerabilities. Which of the following stakeholders is responsible for deciding the appropriate risk treatment option?
Verified Answer: According to the CISM Review Manual, 15th Edition, Chapter 3, Section 3.2.1.3, 'The appropriate risk treatment option is decided by the chief information security officer (CISO) or the designated risk owner.'1
The CISO is the senior executive who is responsible for overseeing and managing the information security program of an organization. The CISO has the authority and expertise to assess the risks, determine the risk appetite and tolerance levels, and select the most suitable risk treatment options for each risk. The CISO also has the accountability and responsibility for implementing, monitoring, and reporting on the risk treatment activities.
Which of the following should be the PRIMARY objective of an information security governance framework?
According to the Certified Information Security Manager (CISM) Study Manual, 'The primary objective of information security governance is to provide a framework for managing and controlling information security practices and technologies at an enterprise level. Its goal is to manage and reduce risk through a process of identification, assessment, and management of those risks.'
While demonstrating senior management commitment, compliance with industry best practices, and ensuring user compliance with policies are all important aspects of information security governance, they are not the primary objective. The primary objective is to manage and reduce risk by establishing a framework for managing and controlling information security practices and technologies at an enterprise level.
Certified Information Security Manager (CISM) Study Manual, 15th Edition, Page 60.
Which of the following is MOST important to the successful implementation of an information security program?
The successful implementation of an information security program depends largely on the availability and allocation of adequate security resources, such as budget, staff, technology, and training. Without sufficient resources, the program may not be able to achieve its objectives, comply with the security strategy, or address the security risks. Key performance indicators (KPIs), a balanced scorecard, and global security standards are also important elements of an information security program, but they are not as critical as the resource allocation.
Reference= CISM Review Manual, 16th Edition, page 69
An information security manager learns of a new standard related to an emerging technology the organization wants to implement. Which of the following should the information security manager recommend be done FIRST?
= The first step that the information security manager should recommend when learning of a new standard related to an emerging technology is to determine whether the organization can benefit from adopting the new standard. This involves evaluating the business objectives, needs, and requirements of the organization, as well as the potential advantages, disadvantages, and challenges of implementing the new technology and the new standard. The information security manager should also consider the alignment of the new standard with the organization's existing policies, procedures, and standards, as well as the impact of the new standard on the organization's information security governance, risk management, program, and incident management. By conducting a preliminary analysis of the feasibility, suitability, and desirability of the new standard, the information security manager can provide a sound basis for further decision making and planning.
Reference= CISM Review Manual, 16th Edition, Chapter 1: Information Security Governance, Section: Information Security Standards, page 391; CISM Review Questions, Answers & Explanations Manual, 10th Edition, Question 43, page 412.
Ronald Smith
9 hours agoAnthony Phillips
19 days agoWilliam Morris
1 month agoEric Lewis
2 months agoRachel Morgan
2 months agoLisa Collins
2 months agoAngela Clark
2 months agoEric Rogers
1 month agoSandra Hall
1 month agoStephen Bell
2 months agoVesta
3 months agoFausto
3 months agoKatina
3 months agoClorinda
4 months agoVeronique
4 months agoEden
4 months agoChrista
4 months agoMilly
5 months agoYan
5 months agoBethanie
5 months agoRegenia
5 months agoNieves
6 months agoEvangelina
6 months agoLynelle
6 months agoRamonita
6 months agoCiara
7 months agoJesse
7 months agoDaniela
7 months agoAnnmarie
7 months agoBernadine
8 months agoBernardo
8 months agoCelestina
8 months agoTaryn
8 months agoHelaine
9 months agoMarti
9 months agoCarlene
9 months agoLavelle
9 months agoYesenia
10 months agoThomasena
10 months agoLouvenia
12 months agoKanisha
1 year agoVinnie
1 year agoJackie
1 year agoArt
1 year agoLon
1 year agoCaprice
1 year agoNoah
1 year agoFernanda
1 year agoYong
1 year agoAshley
1 year agoBarrett
1 year agoDavida
1 year agoLauran
1 year agoLuis
1 year agoShaunna
2 years agoLaquita
2 years agoOlive
2 years agoLili
2 years agoBrittani
2 years agoJannette
2 years agoLeonor
2 years agoJohnetta
2 years agoDyan
2 years agoGlory
2 years agoLavera
2 years agoTroy
2 years agoFallon
2 years agoOllie
2 years agoStephanie
2 years agoArlen
2 years agoStephaine
2 years agoJunita
2 years agoBea
2 years agoMicah
2 years agoLavelle
2 years agoThurman
2 years agoAlline
2 years agoJerry
2 years agoChun
2 years ago