Finding out about the governance of third-party relationships

In today's world, most organizations are heavily reliant on a third party to achieve business objectives. The primary reason to obtain the services of a third party is to avail yourself of expert services in a cost-effective manner. These third parties can be in the form of a service provider, trading partners, group companies, or others.

These third parties are connected to the systems of the organization and have access to the data and other resources of the organization. To protect the organization, it is very important for an information security manager to assess the risk of such third-party relationships and ensure relevant controls are in place.

Policies and requirements of information security should be developed before the creation of any third-party relationship.

Also, the security manager should understand the following challenges of third-party relationships:

• The cultural differences between an organization and the service provider.
• Technology incompatibilities.
• The business continuity arrangements of the service provider may not have aligned to the requirements of the organization.
• Differences in incident management processes.
• Differences in disaster recovery capabilities.

Effective governance is highly dependent on the culture of the organization. Let's discuss this in more detail in our next topic.

The culture of an organization

The culture of an organization and its service provider is the most important factor that determines the implementation of an information security program. The culture of the organization influences risk appetite, that is, the willingness to take risks. This will have a significant influence on the design and implementation of the information security program. A culture that favors taking risks will have a different implementation approach to a culture that is risk-averse.

Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on what information is considered sensitive and how it should be handled. This cultural practice may not be consistent with an organization's requirements.

Compliance with laws and regulations

An information security manager should be cautious about adherence to laws and regulations. Laws and regulations should be addressed to the extent that they impact the organization.

The process should be in place to scan all the new regulations and determine the applicability of regulations to the organization.

The information security manager is required to determine the processes and activities that may be impacted and whether existing controls are adequate to address the new regulations. If not, then further controls should be implemented to address the new regulations.

Departments affected by the new regulations are in the best position to determine the impact of new regulatory requirements on their processes and the best way to address them.

The information security manager is required to assess the impact of privacy law on business processes. The prime focus of privacy law is to protect the identifiable personal data held by an organization.

Key aspects from the CISM exam perspective

The following are some of the key aspects from the CISM exam perspective:

Table 1.5 – Key aspects from the CISM exam perspective

Questions

1. What should be the first step of the information security manager when an organization plans to implement a bring your own device (BYOD) policy for mobile devices?

   A. To ask management to stop the BYOD policy implementation, stating the associated risk.

   B. To prepare a business case for the implementation of BYOD controls.

   C. To make the end users aware of BYOD risks.

   D. To determine the information security strategy for BYOD.

   Answer: D. To determine the information security strategy for BYOD.

   Explanation: The first step for the information security manager is to determine a strategy to protect the organization from the risks of BYOD. Option A is not feasible, as the role of the security manager is to facilitate business processes by mitigating the risk. Options B and C will be based on the security strategy.

2. The factor that influences the design and implementation of the information security program the most is which of the following?

   A. Types of vulnerabilities.

   B. The culture of the organization.

   C. The business objectives.

   D. The complexity of the business.

   Answer: B. The culture of the organization.

   Explanation: The culture of the organization influences the risk appetite which in turn has a significant influence on the design and implementation of the information security program. The business objective is important to prioritize the risk treatment. But the culture of the organization will have a major influence on the design and implementation of the security program. A pro-risk culture will have a different implementation approach to a risk-averse culture.

3. Which of the following will have the biggest influence while planning for business record retention?

   A. Potential changes in storage capacity.

   B. Potential changes in regulatory requirements.

   C. Potential changes in the business strategy.

   D. Potential changes in the application systems and media.

   Answer: D. Potential changes in the application systems and media.

   Explanation: The type and nature of the application systems and media and their capability to read and interpret different types of data formats is the most important factor for planning record retention. New application systems may not be able to read and interpret data generated by earlier applications. This is a major risk.

4. New regulatory requirements impacting information security will mostly come from which of the following?

   A. The chief legal officer.

   B. The chief audit officer.

   C. Affected departments.

   D. Senior management.

   Answer: C. Affected departments.

   Explanation: Departments affected by the new regulations are most likely to raise the requirements. They are in the best position to determine the impact of new regulatory requirements on their processes and the best way to address them.

5. Due to changes in the business strategy, certain information now no longer supports the purpose of the business. What should be done with this information?

   A. It should be analyzed under the retention policy.

   B. It should have restricted access.

   C. It should be frequently backed up.

   D. It should be evaluated by a business impact analysis.

   Answer: A. It should be analyzed under the retention policy.

   Explanation: From an information security perspective, such data should be analyzed under the retention policy, and then it should be determined whether the data is required to be maintained for business or regulatory reasons. If the data is no longer required, it should be removed in a secure manner. The other options are not sensible for data if it is of no use.

6. Primarily, the requirements of an information security program are based on which of the following?

   A. The IT policy.

   B. The desired outcomes.

   C. The management perceptions.

   D. The security strategy.

   Answer: B. The desired outcomes.

   Explanation: The desired outcomes should dictate the input requirements of an information security program. It is the responsibility of the security manager to ensure that the program is implemented in such a way that it achieves the desired outcome. The security strategy should also be based on the desired outcomes of the information security program.

7. The first step of an information security manager who noticed a new regulation impacting one of the organizations' processes should be which of the following?

   A. To pass on responsibility to the process owner for compliance.

   B. To survey the industry practices.

   C. To assess whether existing controls meet the regulation.

   D. To update the IT security policy.

   Answer: C. To assess whether existing controls meet the regulation.

   Explanation: The first step is to determine whether existing controls are adequate to address the new regulation. If existing controls are adequate, the need to perform other options is not required.

8. Privacy laws are mainly focused on which of the following?

   A. Big data analytics.

   B. Corporate data.

   C. Identity theft.

   D. Identifiable personal data.

   Answer: D. Identifiable personal data.

   Explanation: The prime focus of privacy law is to protect identifiable personal data. Identity theft is one of the ways of misusing personal data. There can also be other consequences. If analytics are done on identifiable personal data, it could impact privacy only if this violates regulatory provisions.

9. The information security manager noticed a regulation that impacts the handling of sensitive data. They should first do which of the following?

   A. Determine the processes and activities that may be impacted.

   B. Present a risk treatment option to senior management.

   C. Determine the cost of control.

   D. Discuss the possible consequences with the process owner.

   Answer: A. Determine the processes and activities that may be impacted.

   Explanation: The very first step is to determine the processes and activities that may be impacted. Based on that, the security manager can do a risk assessment and determine the level of impact. The other options are subsequent steps.

10. The most important factor to consider while developing a control policy is which of the following?

    A. Protecting data.

    B. Protecting life.

    C. Protecting the business's reputation.

    D. Protecting the business objectives.

    Answer: B. Protecting life.

    Explanation: The most important consideration is to protect human life. For example, carbon dioxide fire extinguishers should be restricted for areas where employees are working. Also, electric door access should be set to fail open in case of fire. The other options are secondary factors.

11. The information security manager should address laws and regulations in which way?

    A. To the extent they impact the organization.

    B. To meet the certification standards.

    C. To address the requirements of policies.

    D. To reduce the cost of compliance.

    Answer: A. To the extent they impact the organization.

    Explanation: Laws and regulations should be addressed to the extent they impact the organization, irrespective of whether they are required for certification standards or the requirements of policies.

12. Which of the following is the most important consideration in the retention of business records?

    A. Strategic objectives

    B. Regulatory and legal requirements.

    C. Storage capacity.

    D. The level of controls implemented.

    Answer: B. Regulatory and legal requirements.

    Explanation: Record retention should be primarily based on two factors: business requirements and legal requirements. If a record is required to be maintained for two years as per business requirements, and three years as per legal requirements, it should be maintained for three years. Organizations generally design their business requirements after considering the relevant laws and regulations.

13. What is the most important consideration for organizations involved in cross-border transactions?

    A. The capability of the IT architecture.

    B. The evolving data protection regulations.

    C. The cost of network bandwidth.

    D. The incident management process.

    Answer: B. The evolving data protection regulations.

    Explanation: Privacy laws vary from country to country and organizations must comply with the applicable laws from each country where their data is collected, processed, or stored. The other options are secondary factors.

14. What should be the next step for the board of directors when noticing new regulations impacting some of the organization's processes?

    A. Instruct the information security department for specific controls.

    B. Evaluate various solutions to address the new regulations.

    C. Require management to report on compliance.

    D. Evaluate the cost of implementing new controls.

    Answer: C. Require management to report on compliance.

    Explanation: The board of directors has oversight responsibilities, and they should monitor compliance. The board would not be directly involved in evaluating various alternatives and the cost of implementation. Also, the board will not directly instruct the information security department.

15. Which of the following factors is the most difficult to estimate?

    A. Vulnerabilities in the system.

    B. Legal and regulatory requirements.

    C. Compliance timelines.

    D. The threat landscape.

    Answer: D. The threat landscape.

    Explanation: A threat is something that exploits a vulnerability. Threat factors are not in the control of the organization. Examples of threat factors are hackers, fires, earthquakes, changes in the regulatory environment, and more. All of these factors are difficult to estimate and control. Other options are not as difficult to estimate as the threat landscape.

16. Which of the following is the risk that is likely to be most ignored during an onsite inspection of an offshore service provider?

    A. Cultural differences.

    B. Security controls.

    C. The network security.

    D. The documented IT policy.

    Answer: A. Cultural differences.

    Explanation: Cultural differences and their impact on data security are generally not considered during security reviews. Different cultures have different perspectives on what information is considered sensitive and how it should be handled. This cultural practice may not be consistent with the organization's requirements.

17. What does an organization's risk appetite mostly depend on?

    A. The threat landscape.

    B. The size of the information security team.

    C. The security strategy.

    D. The organization's culture.

    Answer: D. The organization's culture.

    Explanation: The culture of the organization determines the risk appetite of the organization. Pro-risk organizations generally tend to have more of a risk appetite as compared to risk-averse organizations. Other options do not directly impact the risk appetite.

18. What factor has the greatest impact on the security strategy?

    A. IT technology.

    B. System vulnerabilities.

    C. Network bandwidth.

    D. Organizational goals.

    Answer: D. Organizational goals.

    Explanation: The prime objective of a security strategy is to facilitate and support organizational goals. The other options are secondary factors.

19. What is the most important consideration for designing a security policy for a multi-national organization operating in different countries?

    A. The cost of implementation.

    B. The level of security awareness of the employees.

    C. The culture of the different countries.

    D. The capability of the security tools.

    Answer: C. The culture of the different countries.

    Explanation: Culture plays an important role for designing security policies. Different countries have different cultures and these impact their local legal requirements. The organization needs to ensure that the local laws of all the countries are appropriately addressed. Other options are not as significant as the local culture.

20. What should the next step be for the information security manager when noticing new regulations impacting some of the organization's processes?

    A. To identify whether the current controls are adequate.

    B. To update the audit department about the new regulations.

    C. To present a business case to senior management.

    D. To implement the requirements of new regulations.

    Answer: A. To identify whether the current controls are adequate.

    Explanation: The first step is to analyze and identify whether current controls are adequate. If current practice already adheres to the regulations, then there is no need to implement further controls.

21. What is the most important factor that determines the acceptable level of organizational standards?

    A. The current level of vulnerability.

    B. The risk appetite of the organization.

    C. IT policies and processes.

    D. The documented strategy.

    Answer: B. The risk appetite of the organization.

    Explanation: The risk appetite is the level of willingness of the organization to take risks. It sets the boundary of acceptable risks. This would determine the acceptable limit for the organizational standards. The other options do not directly impact the acceptable level of organizational standards.

22. What is the most important factor for promoting a positive information security culture?

    A. Monitoring by an audit committee.

    B. High budgets for security initiatives.

    C. Collaboration across business lines.

    D. Frequent information security audits.

    Answer: C. Collaboration across business lines.

    Explanation: Collaboration across business lines is of utmost importance to promote a positive information security culture. This will ensure collective efforts toward common security goals. The other options are not as significant as collaboration across business lines.