Isaca Updated CISM Exam Questions and Answers by wyatt

Company A’s security architecture is the PRIMARY focus of Company A’s information security manager, because it defines the overall security design and controls for the cloud services that Company A provides to its customers. The information security manager should ensure that the security architecture is aligned with the business objectives and requirements of Company A, and that it can accommodate the integration of Company B’s technologies without compromising the security, performance, and availability of the cloud services.

References =

CISM Review Manual, 16th Edition, ISACA, 2020, p. 67: “Security architecture is the design of the security controls that are applied to the information assets and the relationships among those assets.”

CISM Review Manual, 16th Edition, ISACA, 2020, p. 68: “The information security manager should ensure that the security architecture is aligned with the enterprise’s business objectives and requirements and supports the information security strategy and program.”

CISM Review Manual, 16th Edition, ISACA, 2020, p. 69: “The information security manager should consider the impact of changes in the enterprise environment, such as mergers and acquisitions, on the security architecture and identify the necessary modifications or enhancements to maintain the security posture of the enterprise.”

The risk owner is the person who has the authority and accountability to make decisions about the risk, including whether to accept, avoid, transfer, or mitigate it. The risk owner is also responsible for implementing and monitoring the risk treatment plan and reporting on the risk status. The risk owner is usually the business process owner or the information owner of the asset affected by the risk. (From CISM Review Manual 15th Edition)

References: CISM Review Manual 15th Edition, page 64, section 2.2.1.2.

The third party’s lack of compliance with local regulations poses the greatest risk to the organization, as it may expose the organization to legal, regulatory, or reputational consequences, such as fines, sanctions, lawsuits, or loss of customer trust. Payroll information is considered sensitive personal data that may be subject to different privacy and security laws depending on the jurisdiction where it is generated, processed, or stored. Therefore, the organization should ensure that the third party adheres to the applicable regulations and standards, and obtains the necessary certifications or attestations to demonstrate compliance.

References = CISM Review Manual 2022, page 361; CISM Exam Content Outline, Domain 1, Task 1.22; Ensuring Vendor Compliance and Third-Party Risk Mitigation; How to Manage Access Risk Regarding Third-Party Service Providers

Strong encryption methods are the BEST control to protect customer personal information that is stored in the cloud, because they help to prevent unauthorized access, disclosure, modification, or deletion of the data by encrypting it at rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can decrypt and access the data. Encryption can help to protect the confidentiality, integrity, and availability of the data, as well as to comply with legal and regulatory requirements.

References =

CISM Review Manual, 16th Edition, ISACA, 2020, p. 72: “Encryption is the process of transforming data into an unreadable format using a secret key or algorithm.”

CISM Review Manual, 16th Edition, ISACA, 2020, p. 73: “Encryption can help to protect the confidentiality, integrity, and availability of data, as well as to comply with legal and regulatory requirements for data protection.”

Saas Data Security: Protecting Your Customers’ Information In The Cloud - Fresent’s Blog: “Encryption and Data Protection: One of the most effective ways to protect sensitive data in the cloud is to encrypt it both at rest and in transit. Encryption is the process of transforming data into an unreadable format using a secret key or algorithm, so that only authorized parties can decrypt and access the data.”