1.

Which of the following answer specifies the correct sequence of levels within the Capability Maturity
Model (CMM)?

o Initial, Managed, Defined, Quantitatively managed, optimized

o Initial, Managed, Defined, optimized, Quantitatively managed

o Initial, Defined, Managed, Quantitatively managed, optimized

o Initial, Managed, Quantitatively managed, Defined, optimized

Explanation:

Maturity model

A maturity model can be viewed as a set of structured levels that describe how well the behaviors, practices and
processes of an organization can reliably and sustainable produce required outcomes.

CISA Certified
Information Systems Auditor Part 29 Q01 023

A maturity model can be used as a benchmark for comparison and as an aid to understanding – for example, for
comparative assessment of different organizations where there is something in common that can be used as a basis
for comparison. In the case of the CMM, for example, the basis for comparison would be the organizations’
software development processes.

Structure
The model involves five aspects:

Maturity Levels: a 5-level process maturity continuum – where the uppermost (5th) level is a notional ideal state
where processes would be systematically managed by a combination of process optimization and continuous
process improvement.

Key Process Areas: a Key Process Area identifies a cluster of related activities that, when performed together,
achieve a set of goals considered important.

Goals: the goals of a key process area summarize the states that must exist for that key process area to have been
implemented in an effective and lasting way. The extent to which the goals have been accomplished is an indicator
of how much capability the organization has established at that maturity level. The goals signify the scope,
boundaries, and intent of each key process area.

Common Features: common features include practices that implement and institutionalize a key process area.
There are five types of common features: commitment to perform, ability to perform, activities performed,
measurement and analysis, and verifying implementation.

Key Practices: The key practices describe the elements of infrastructure and practice that contribute most
effectively to the implementation and institutionalization of the area.

Levels
There are five levels defined along the continuum of the model and, according to the SEI: “Predictability,
effectiveness, and control of an organization’s software processes are believed to improve as the organization
moves up these five levels. While not rigorous, the empirical evidence to date supports this belief”.

Initial (chaotic, ad hoc, individual heroics) – the starting point for use of a new or undocumented repeat process.
Repeatable – the process is at least documented sufficiently such that repeating the same steps may be attempted.
Defined – the process is defined/confirmed as a standard business process, and decomposed to levels 0, 1 and 2
(the last being Work Instructions).
Managed – the process is quantitatively managed in accordance with agreed-upon metrics.
Optimizing – process management includes deliberate process optimization/improvement.

Within each of these maturity levels are Key Process Areas which characteristic that level, and for each such area
there are five factors: goals, commitment, ability, measurement, and verification. These are not necessarily unique
to CMM, representing — as they do — the stages that organizations must go through on the way to becoming
mature.

The model provides a theoretical continuum along which process maturity can be developed incrementally from
one level to the next. Skipping levels is not allowed/feasible.

Level 1 – Initial (Chaotic)

It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic
change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a
chaotic or unstable environment for the processes.

Level 2 – Repeatable
It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results.
Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are
maintained during times of stress.

Level 3 – Defined
It is characteristic of processes at this level that there are sets of defined and documented standard processes
established and subject to some degree of improvement over time. These standard processes are in place (i.e., they
are the AS-IS processes) and used to establish consistency of process performance across the organization.

Level 4 – Managed
It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-
IS process (e.g., for software development). In particular, management can identify ways to adjust and adapt the
process to particular projects without measurable losses of quality or deviations from specifications. Process
Capability is established from this level.

Level 5 – Optimizing
It is a characteristic of processes at this level that the focus is on continually improving process performance
through both incremental and innovative technological changes/improvements.

At maturity level 5, processes are concerned with addressing statistical common causes of process variation and
changing the process (for example, to shift the mean of the process performance) to improve process performance.
This would be done at the same time as maintaining the likelihood of achieving the established quantitative
process-improvement objectives.

The following answers are incorrect:

The other option specified in the option does not provide correct sequence.

Reference:

CISA review manual 2014 Page number 188

CISSP Official study guide page number 693

2. Which of the following dynamic interaction of a Business Model for Information Security (BMIS) is a
pattern of behaviors, effects, assumptions, attitude and ways of doing things?

o Governing

o Culture

o Enabling and support

o Emergence

Explanation:

Culture is a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things. It is emergent and
learned, and it creates a sense of comfort. Culture evolves as a type of shared history as a group goes through a set
of common experiences. Those similar experiences cause certain responses, which become a set of expected and
shared behaviors. These behaviors become unwritten rules, which become norms that are shared by all people
who have that common history. It is important to understand the culture of the enterprise because it profoundly
influences what information is considered, how it is interpreted and what will be done with it. Culture may exist on
many levels, such as national (legislation/regulation, political and traditional), organizational (policies, hierarchical
style and expectations) and social (family, etiquette). It is created from both external and internal factors, and is
influenced by and influences organizational patterns.

For your exam you should know the information below.

Business Model for Information Security

The Business Model for Information Security (BMIS) originated at the Institute for Critical Information
Infrastructure Protection at the Marshall School of Business at the University of Southern California in the USA.
ISACA has undertaken the development of the Systemic Security Management Model. The BMIS takes a business-
oriented approach to managing information security, building on the foundational concepts developed by the
Institute. The model utilizes systems thinking to clarify complex relationships within the enterprise, and thus to
more effectively manage security. The elements and dynamic interconnections that form the basis of the model
establish the boundaries of an information security program and model how the program functions and reacts to
internal and external change. The BMIS provides the context for frameworks such as Cubit.

The essence of systems theory is that a system needs to be viewed holistically – not merely as a sum of its parts –
to be accurately understood. A holistic approach examines the system as a complete functioning unit. Another
tenet of systems theory is that one part of the system enables understanding of other parts of the system.
“Systems thinking” is a widely recognized term that refers to the examination of how systems interact, how
complex systems work and why “the whole is more than the sum of its parts.” Systems theory is most accurately
described as a complex network of events, relationships, reactions, consequences, technologies, processes and
people that interact in often unseen and unexpected ways. Studying the behaviors and results of the interactions
can assist the manager to better understand the organizational system and the way it functions. While
management of any discipline within the enterprise can be enhanced by approaching it from a systems thinking
perspective, its implementation will certainly help with managing risk.

The success that the systems approach has achieved in other fields bodes well for the benefits it can bring to
security. The often dramatic failures of enterprises to adequately address security issues in recent years are due, to
a significant extent, to their inability to define security and present it in a way that is comprehensible and relevant
to all stakeholders. Utilizing a systems approach to information security management will help information security
managers address complex and dynamic environments, and will generate a beneficial effect on collaboration within
the enterprise, adaptation to operational change, navigation of strategic uncertainty and tolerance of the impact of
external factors. The model is represented below.
 CISA Certified Information
Systems Auditor Part 29 Q02 024

As illustrated in above, the model is best viewed as a flexible, three-dimensional, pyramid-shaped structure made
up of four elements linked together by six dynamic interconnections.
All aspects of the model interact with each other. If any one part of the model is changed, not addressed or
managed inappropriately, the equilibrium of the model is potentially at risk. The dynamic interconnections act as
tensions, exerting a push/pull force in reaction to changes in the enterprise, allowing the model to adapt as
needed.

The four elements of the model are:

1. Organization Design and Strategy – An organization is a network of people, assets and processes interacting with
each other in defined roles and working toward a common goal.
An enterprise’s strategy specifies its business goals and the objectives to be achieved as well as the values and
missions to be pursued. It is the enterprise’s formula for success and sets its basic direction. The strategy should
adapt to external and internal factors. Resources are the primary material to design the strategy and can be of
different types (people, equipment, know-how). Design defines how the organization implements its strategy.
Processes, culture and architecture are important in determining the design.

2. People – The human resources and the security issues that surround them. It defines who implements (through
design) each part of the strategy. It represents a human collective and must take into account values, behaviors and
biases. Internally, it is critical for the information security manager to work with the human resources and legal
departments to address issues such as:
Recruitment strategies (access, background checks, interviews, roles and responsibilities)
Employment issues (location of office, access to tools and data, training and awareness, movement within the
enterprise)
Termination (reasons for leaving, timing of exit, roles and responsibilities, access to systems, access to other
employees). Externally, customers, suppliers, media, stakeholders and others can have a strong influence on the
enterprise and need to be considered within the security posture.

3. Process – Includes formal and informal mechanisms (large and small, simple and complex) to get things done and
provides a vital link to all of the dynamic interconnections.
Processes identify, measure, manage and control risk, availability, integrity and confidentiality, and they also ensure
accountability. They derive from the strategy and implement the operational part of the organization element.
To be advantageous to the enterprise, processes must:
Meet business requirements and align with policy
Consider emergence and be adaptable to changing requirements
Be well documented and communicated to appropriate human resources
Be reviewed periodically, once they are in place, to ensure efficiency and effectiveness

4. Technology – Composed of all of the tools, applications and infrastructure that make processes more efficient. As
an evolving element that experiences frequent changes, it has its own dynamic risk. Given the typical enterprise’s
dependence on technology, technology constitutes a core part of the enterprise’s infrastructure and a critical
component in accomplishing its mission.
Technology is often seen by the enterprise’s management team as a way to resolve security threats and risk. While
technical controls are helpful in mitigating some types of risk, technology should not be viewed as an information
security solution.
Technology is greatly impacted by users and by organizational culture. Some individuals still mistrust technology;
some have not learned to use it; and others feel it slows them down. Regardless of the reason, information security
managers must be aware that many people will try to sidestep technical controls.

Dynamic Interconnections
The dynamic interconnections are what link the elements together and exert a multidirectional force that pushes
and pulls as things change. Actions and behaviors that occur in the dynamic interconnections can force the model
out of balance or bring it back to equilibrium.

The six dynamic interconnections are:

1. Governing – Governing is the steering of the enterprise and demands strategic leadership. Governing sets limits
within which an enterprise operates and is implemented within processes to monitor performance, describe
activities and achieve compliance while also providing adaptability to emergent conditions. Governing incorporates
ensuring that objectives are determined and defined, ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used responsibly.
2. Culture – Culture is a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things. It is
emergent and learned, and it creates a sense of comfort. Culture evolves as a type of shared history as a group
goes through a set of common experiences. Those similar experiences cause certain responses, which become a set
of expected and shared behaviors. These behaviors become unwritten rules, which become norms that are shared
by all people who have that common history. It is important to understand the culture of the enterprise because it
profoundly influences what information is considered, how it is interpreted and what will be done with it. Culture
may exist on many levels, such as national (legislation/regulation, political and traditional), organizational (policies,
hierarchical style and expectations) and social (family, etiquette). It is created from both external and internal
factors, and is influenced by and influences organizational patterns.
3. Enabling and support – The enabling and support dynamic interconnection connects the technology element to
the process element. One way to help ensure that people comply with technical security measures, policies and
procedures is to make processes usable and easy. Transparency can help generate acceptance for security controls
by assuring users that security will not inhibit their ability to work effectively. Many of the actions that affect both
technology and processes occur in the enabling and support dynamic interconnection. Policies, standards and
guidelines must be designed to support the needs of the business by reducing or eliminating conflicts of interest,
remaining flexible to support changing business objectives, and being acceptable and easy for people to follow.
4. Emergence – Emergence – which connotes surfacing, developing, growing and evolving – refers to patterns that
arise in the life of the enterprise that appear to have no obvious cause and whose outcomes seem impossible to
predict and control. The emergence dynamic interconnection (between people and processes) is a place to
introduce possible solutions such as feedback loops; alignment with process improvement; and consideration of
emergent issues in system design life cycle, change control, and risk management.
5. Human factors – The human factors dynamic interconnection represents the interaction and gap between
technology and people and, as such, is critical to an information security program. If people do not understand how
to use the technology, do not embrace the technology or will not follow pertinent policies, serious security
problems can evolve. Internal threats such as data leakage, data theft and misuse of data can occur within this
dynamic interconnection. Human factors may arise because of age, experience level and/or cultural experiences.
Because human factors are critical components in maintaining balance within the model, it is important to train all
of the enterprise’s human resources on pertinent skills.
6. Architecture – A security architecture is a comprehensive and formal encapsulation of the people, processes,
policies and technology that comprise an enterprise’s security practices. A robust business information architecture
is essential to understanding the need for security and designing the security architecture. It is within the
architecture dynamic interconnection that the enterprise can ensure defense in depth. The design describes how
the security controls are positioned and how they relate to the overall IT architecture. An enterprise security
architecture facilitates security capabilities across lines of businesses in a consistent and a cost-effective manner
and enables enterprises to be proactive with their security investment decisions.

The following answers are incorrect:

Governing – Governing is the steering of the enterprise and demands strategic leadership. Governing sets limits
within which an enterprise operates and is implemented within processes to monitor performance, describe
activities and achieve compliance while also providing adaptability to emergent conditions. Governing incorporates
ensuring that objectives are determined and defined, ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used responsibly.

Enabling and support – The enabling and support dynamic interconnection connects the technology element to the
process element. One way to help ensure that people comply with technical security measures, policies and
procedures is to make processes usable and easy. Transparency can help generate acceptance for security controls
by assuring users that security will not inhibit their ability to work effectively. Many of the actions that affect both
technology and processes occur in the enabling and support dynamic interconnection. Policies, standards and
guidelines must be designed to support the needs of the business by reducing or eliminating conflicts of interest,
remaining flexible to support changing business objectives, and being acceptable and easy for people to follow.

Emergence – Emergence – which connotes surfacing, developing, growing and evolving – refers to patterns that
arise in the life of the enterprise that appear to have no obvious cause and whose outcomes seem impossible to
predict and control. The emergence dynamic interconnection (between people and processes) is a place to
introduce possible solutions such as feedback loops; alignment with process improvement; and consideration of
emergent issues in system design life cycle, change control, and risk management.
Reference:

CISA review manual 2014 page number 37 and 38

http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf

3. Which of the following dynamic interaction of a Business Model for Information Security (BMIS) is a
place to introduce possible solutions such as feedback loops; alignment with process improvement; and
consideration of emergent issues in system design life cycle, change control, and risk management?

o Governing

o Culture

o Enabling and support

o Emergence

Explanation:

Emergence – which connotes surfacing, developing, growing and evolving – refers to patterns that arise in the life
of the enterprise that appear to have no obvious cause and whose outcomes seem impossible to predict and
control. The emergence dynamic interconnection (between people and processes) is a place to introduce possible
solutions such as feedback loops; alignment with process improvement; and consideration of emergent issues in
system design life cycle, change control, and risk management.

For your exam you should know the information below.

Business Model for Information Security

The Business Model for Information Security (BMIS) originated at the Institute for Critical Information
Infrastructure Protection at the Marshall School of Business at the University of Southern California in the USA.
ISACA has undertaken the development of the Systemic Security Management Model. The BMIS takes a business-
oriented approach to managing information security, building on the foundational concepts developed by the
Institute. The model utilizes systems thinking to clarify complex relationships within the enterprise, and thus to
more effectively manage security. The elements and dynamic interconnections that form the basis of the model
establish the boundaries of an information security program and model how the program functions and reacts to
internal and external change. The BMIS provides the context for frameworks such as Cubit.

The essence of systems theory is that a system needs to be viewed holistically – not merely as a sum of its parts –
to be accurately understood. A holistic approach examines the system as a complete functioning unit. Another
tenet of systems theory is that one part of the system enables understanding of other parts of the system.
“Systems thinking” is a widely recognized term that refers to the examination of how systems interact, how
complex systems work and why “the whole is more than the sum of its parts.” Systems theory is most accurately
described as a complex network of events, relationships, reactions, consequences, technologies, processes and
people that interact in often unseen and unexpected ways. Studying the behaviors and results of the interactions
can assist the manager to better understand the organizational system and the way it functions. While
management of any discipline within the enterprise can be enhanced by approaching it from a systems thinking
perspective, its implementation will certainly help with managing risk.
The success that the systems approach has achieved in other fields bodes well for the benefits it can bring to
security. The often dramatic failures of enterprises to adequately address security issues in recent years are due, to
a significant extent, to their inability to define security and present it in a way that is comprehensible and relevant
to all stakeholders. Utilizing a systems approach to information security management will help information security
managers address complex and dynamic environments, and will generate a beneficial effect on collaboration within
the enterprise, adaptation to operational change, navigation of strategic uncertainty and tolerance of the impact of
external factors. The model is represented below.

CISA Certified Information

Systems Auditor Part 29 Q03 025

As illustrated in above, the model is best viewed as a flexible, three-dimensional, pyramid-shaped structure made
up of four elements linked together by six dynamic interconnections.

All aspects of the model interact with each other. If any one part of the model is changed, not addressed or
managed inappropriately, the equilibrium of the model is potentially at risk. The dynamic interconnections act as
tensions, exerting a push/pull force in reaction to changes in the enterprise, allowing the model to adapt as
needed.

The four elements of the model are:

1. Organization Design and Strategy – organization is a network of people, assets and processes interacting with
each other in defined roles and working toward a common goal.
An enterprise’s strategy specifies its business goals and the objectives to be achieved as well as the values and
missions to be pursued. It is the enterprise’s formula for success and sets its basic direction. The strategy should
adapt to external and internal factors. Resources are the primary material to design the strategy and can be of
different types (people, equipment, know-how). Design defines how the organization implements its strategy.
Processes, culture and architecture are important in determining the design.
2. People – The human resources and the security issues that surround them. It defines who implements (through
design) each part of the strategy. It represents a human collective and must take into account values, behaviors and
biases. Internally, it is critical for the information security manager to work with the human resources and legal
departments to address issues such as:
Recruitment strategies (access, background checks, interviews, roles and responsibilities)
Employment issues (location of office, access to tools and data, training and awareness, movement within the
enterprise)
Termination (reasons for leaving, timing of exit, roles and responsibilities, access to systems, access to other
employees). Externally, customers, suppliers, media, stakeholders and others can have a strong influence on the
enterprise and need to be considered within the security posture.

3. Process – Includes formal and informal mechanisms (large and small, simple and complex) to get things done and
provides a vital link to all of the dynamic interconnections.
Processes identify, measure, manage and control risk, availability, integrity and confidentiality, and they also ensure
accountability. They derive from the strategy and implement the operational part of the organization element.
To be advantageous to the enterprise, processes must:
Meet business requirements and align with policy
Consider emergence and be adaptable to changing requirements
Be well documented and communicated to appropriate human resources
Be reviewed periodically, once they are in place, to ensure efficiency and effectiveness

4. Technology – Composed of all of the tools, applications and infrastructure that make processes more efficient. As
an evolving element that experiences frequent changes, it has its own dynamic risk. Given the typical enterprise’s
dependence on technology, technology constitutes a core part of the enterprise’s infrastructure and a critical
component in accomplishing its mission.
Technology is often seen by the enterprise’s management team as a way to resolve security threats and risk. While
technical controls are helpful in mitigating some types of risk, technology should not be viewed as an information
security solution.
Technology is greatly impacted by users and by organizational culture. Some individuals still mistrust technology;
some have not learned to use it; and others feel it slows them down. Regardless of the reason, information security
managers must be aware that many people will try to sidestep technical controls.

Dynamic Interconnections
The dynamic interconnections are what link the elements together and exert a multidirectional force that pushes
and pulls as things change. Actions and behaviors that occur in the dynamic interconnections can force the model
out of balance or bring it back to equilibrium.

The six dynamic interconnections are:

1. Governing – Governing is the steering of the enterprise and demands strategic leadership. Governing sets limits
within which an enterprise operates and is implemented within processes to monitor performance, describe
activities and achieve compliance while also providing adaptability to emergent conditions. Governing incorporates
ensuring that objectives are determined and defined, ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used responsibly.

2. Culture – Culture is a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things. It is
emergent and learned, and it creates a sense of comfort. Culture evolves as a type of shared history as a group
goes through a set of common experiences. Those similar experiences cause certain responses, which become a set
of expected and shared behaviors. These behaviors become unwritten rules, which become norms that are shared
by all people who have that common history. It is important to understand the culture of the enterprise because it
profoundly influences what information is considered, how it is interpreted and what will be done with it. Culture
may exist on many levels, such as national (legislation/regulation, political and traditional), organizational (policies,
hierarchical style and expectations) and social (family, etiquette). It is created from both external and internal
factors, and is influenced by and influences organizational patterns.

3. Enabling and support – The enabling and support dynamic interconnection connects the technology element to
the process element. One way to help ensure that people comply with technical security measures, policies and
procedures is to make processes usable and easy. Transparency can help generate acceptance for security controls
by assuring users that security will not inhibit their ability to work effectively. Many of the actions that affect both
technology and processes occur in the enabling and support dynamic interconnection. Policies, standards and
guidelines must be designed to support the needs of the business by reducing or eliminating conflicts of interest,
remaining flexible to support changing business objectives, and being acceptable and easy for people to follow.

4. Emergence – Emergence – which connotes surfacing, developing, growing and evolving – refers to patterns that
arise in the life of the enterprise that appear to have no obvious cause and whose outcomes seem impossible to
predict and control. The emergence dynamic interconnection (between people and processes) is a place to
introduce possible solutions such as feedback loops; alignment with process improvement; and consideration of
emergent issues in system design life cycle, change control, and risk management.

5. Human factors – The human factors dynamic interconnection represents the interaction and gap between
technology and people and, as such, is critical to an information security program. If people do not understand how
to use the technology, do not embrace the technology or will not follow pertinent policies, serious security
problems can evolve. Internal threats such as data leakage, data theft and misuse of data can occur within this
dynamic interconnection. Human factors may arise because of age, experience level and/or cultural experiences.
Because human factors are critical components in maintaining balance within the model, it is important to train all
of the enterprise’s human resources on pertinent skills.

6. Architecture – A security architecture is a comprehensive and formal encapsulation of the people, processes,
policies and technology that comprise an enterprise’s security practices. A robust business information architecture
is essential to understanding the need for security and designing the security architecture. It is within the
architecture dynamic interconnection that the enterprise can ensure defense in depth. The design describes how
the security controls are positioned and how they relate to the overall IT architecture. An enterprise security
architecture facilitates security capabilities across lines of businesses in a consistent and a cost-effective manner
and enables enterprises to be proactive with their security investment decisions.

The following answers are incorrect:

Governing – Governing is the steering of the enterprise and demands strategic leadership. Governing sets limits
within which an enterprise operates and is implemented within processes to monitor performance, describe
activities and achieve compliance while also providing adaptability to emergent conditions. Governing incorporates
ensuring that objectives are determined and defined, ascertaining that risks are managed appropriately, and
verifying that the enterprise’s resources are used responsibly.

Enabling and support – The enabling and support dynamic interconnection connects the technology element to the
process element. One way to help ensure that people comply with technical security measures, policies and
procedures is to make processes usable and easy. Transparency can help generate acceptance for security controls
by assuring users that security will not inhibit their ability to work effectively. Many of the actions that affect both
technology and processes occur in the enabling and support dynamic interconnection. Policies, standards and
guidelines must be designed to support the needs of the business by reducing or eliminating conflicts of interest,
remaining flexible to support changing business objectives, and being acceptable and easy for people to follow.

Culture – Culture is a pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things. It is emergent
and learned, and it creates a sense of comfort. Culture evolves as a type of shared history as a group goes through
a set of common experiences. Those similar experiences cause certain responses, which become a set of expected
and shared behaviors. These behaviors become unwritten rules, which become norms that are shared by all people
who have that common history. It is important to understand the culture of the enterprise because it profoundly
influences what information is considered, how it is interpreted and what will be done with it. Culture may exist on
many levels, such as national (legislation/regulation, political and traditional), organizational (policies, hierarchical
style and expectations) and social (family, etiquette). It is created from both external and internal factors, and is
influenced by and influences organizational patterns.
Reference:
CISA review manual 2014 page number 37 and 38
http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf

4. A maturity model can be used to aid the implementation of IT governance by identifying:

o critical success factors (CSF)

o performance drivers

o improvement opportunities

o accountabilities

5. The effectiveness of an information security governance framework will BEST be enhanced if:

o consultants review the information security governance framework

o a culture of legal and regulatory compliance is promoted by management

o IS auditors are empowered to evaluate governance activities

o risk management is built into operational and strategic activities

6. Which of the following is the MOST important requirement for the successful implementation of
security governance?

o Aligning to an international security framework

o Mapping to organizational strategies

o Implementing a security balanced scorecard

o Performing an enterprise-wide risk assessment

7. Which of the following BEST demonstrates effective information security management within an
organization?
 o Employees support decisions made by information security management.

o Excessive risk exposure in one department can be absorbed by other departments.

o Information security governance is incorporated into organizational governance.

o Control ownership is assigned to parties who can accept losses related to control failure.

8. A multinational organization is introducing a security governance framework. The information security

manager’s concern is that regional security practices differ. Which of the following should be evaluated
FIRST?

o Local regulatory requirements

o Local IT requirements

o Cross-border data mobility

o Corporate security objectives

9. When facilitating the alignment of corporate governance and information security governance, which of
the following is the MOST important role of an organization’s security steering committee?

o Obtaining support for the integration from business owners

o Obtaining approval for the information security budget

o Evaluating and reporting the degree of integration

o Defining metrics to demonstrate alignment

10. Which of the following is a PRIMARY responsibility of an information security governance committee?

o Approving the purchase of information security technologies

o Approving the information security awareness training strategy

o Reviewing the information security strategy

o Analyzing information security policy compliance reviews

11. What is the MOST effective way to ensure security policies and procedures are up-to-date?

o Verify security requirements are being identified and consistently applied.

o Align the organization’s security practices with industry standards and best practice.

o Define and document senior management’s vision for the direction of the security

o Prevent security documentation audit issues from being raised

12. Which of the following is the PRIMARY advantage of having an established information security
governance framework in place when an organization is adopting emerging technologies?

o An emerging technologies strategy would be in place

o A cost-benefit analysis process would be easier to perform

o An effective security risk management process is established

o End-user acceptance of emerging technologies has been established

13. From a risk management perspective, which of the following is MOST important to be tracked in
continuous monitoring?

o Number of prevented attacks

o Changes in the threat environment

o Changes in user privileges

o Number of failed logins

14. Which of the following should be the PRIMARY objective of an information security governance
framework?

o Increase the organization’s return on security investment.

o Provide a baseline for optimizing the security profile of the organization.

o Ensure that users comply with the organization’s information security policies.

o practices

15. An organization has developed mature risk management practices that are followed across all
departments. What is the MOST effective way for the audit team to leverage this risk management
maturity?

o Facilitating audit risk identification and evaluation workshops

o Implementing risk responses on management’s behalf

o Providing assurances to management regarding risk

o Integrating the risk register for audit planning purposes

16. Which of the following findings would be of GREATEST concern to an IS auditor performing an
information security audit of critical server log management activities?

o Log records can be overwritten before being reviewed.

o Logging procedures are insufficiently documented.

 o Log records are dynamically into different servers.

o Logs are monitored using manual processes.

17. The BEST way to validate whether a malicious act has actually occurred in an application is to review:

o segregation of duties

o access controls

o activity logs

o change management logs

18. What type of control is being used when an organization publishes standards and procedures for
vulnerability management?

o Directive

o Preventive

o Corrective

o Detective

19. An IS auditor finds that application servers had inconsistent configurations leading to potential security
vulnerabilities. Which of the following should the auditor recommend FIRST?

o Enforce server baseline standards.

o Improve change management processes using a workflow tool.

o Hold the application owner accountable for monitoring metrics.

o Use a single vendor for the application servers.

20. Implementing a strong password policy is part of an organization’s information security strategy for the
year. A business unit believes the strategy may adversely affect a client’s adoption of a recently
developed mobile application and has decided not to implement the policy. Which of the following
would be the information security manager’s BEST course of action?

o Analyze the risk and impact of not implementing the policy

o Develop and implement a password policy for the mobile application

o Escalate non-implementation of the policy to senior management

o Benchmark with similar mobile applications to identify gaps