Domain 3 – Section B Review: Information Security Program Management

This section integrates:

• Control Design and Selection
• Control Implementation and Integration
• Control Testing and Evaluation
• Security Awareness and Training
• External Service Management
• Program Communications and Reporting

CISM evaluates whether you can execute a security program in a governed, sustainable, risk-aligned manner.

1. Controls Must Be Risk-Aligned

Control design should:

• Reflect asset classification
• Reduce risk to within appetite
• Balance preventive, detective, corrective layers
• Consider operational impact
• Be economically rational

The strongest control is not always the best control.

2. Implementation Requires Governance Discipline

Controls must:

• Follow change management
• Engage stakeholders
• Include impact assessment
• Update documentation
• Integrate with architecture
• Assign ownership

Unauthorized implementation creates operational risk.

3. Testing Validates Effectiveness

Controls must be:

• Tested for design effectiveness
• Evaluated for operating effectiveness
• Reviewed based on risk level
• Remediated when deficiencies are identified
• Reported through governance channels

Unvalidated controls are assumed — not proven.

4. Awareness Reduces Human Risk

Training must:

• Align with threat landscape
• Target high-risk roles
• Measure behavioral effectiveness
• Support policy compliance
• Reinforce risk culture

Completion rate ≠ effectiveness.

5. Third-Party Risk Is Retained Risk

Vendor governance requires:

• Risk-based onboarding
• Contractual safeguards
• Ongoing monitoring
• Fourth-party oversight
• Clear internal ownership

Outsourcing services does not outsource accountability.

6. Communication Enables Governance

Reporting must:

• Align with enterprise risk
• Be audience-specific
• Highlight trends
• Trigger escalation when necessary
• Support executive decisions

Technical noise is not governance reporting.

Section B – Practice Questions

Question 1

A preventive control would eliminate a moderate risk but significantly disrupt critical operations.

What is the MOST appropriate action?

1. Implement the control immediately
2. Evaluate proportional alternatives aligned with risk appetite
3. Eliminate the business process
4. Ignore the risk

Question 2

A new security tool is deployed without following formal change management.

What is the PRIMARY governance weakness?

1. Failure to follow structured implementation process
2. Encryption gap
3. Vendor inefficiency
4. Monitoring delay

Question 3

Control testing reveals repeated access review failures.

What should occur FIRST?

1. Replace the access system
2. Increase monitoring frequency
3. Ignore minor issues
4. Conduct root cause analysis and initiate remediation tracking

Question 4

Security awareness training shows 100% completion but phishing click rates remain high.

What is the MOST appropriate improvement?

1. Increase training frequency
2. Replace email systems
3. Implement targeted, role-based reinforcement and measure behavioral outcomes
4. Eliminate training

Question 5

A critical vendor contract lacks right-to-audit language.

What is the PRIMARY risk?

1. Encryption weakness
2. Inability to validate vendor control effectiveness
3. Monitoring delay
4. Vendor reputation risk

Question 6

Security reports focus heavily on vulnerability counts without linking to business impact.

What is the PRIMARY reporting deficiency?

1. Lack of enterprise risk context
2. Reduced automation
3. Vendor inefficiency
4. Increased scanning

Question 7

A control was implemented successfully but is not monitored for performance.

What is the MOST significant risk?

1. Encryption failure
2. Vendor delay
3. Increased automation
4. Inability to validate ongoing effectiveness

Question 8

A vendor engages subcontractors to process sensitive data without notifying your organization.

What is the MOST appropriate response?

1. Ignore subcontractor activity
2. Replace vendor immediately
3. Assess fourth-party exposure and enforce contractual safeguards
4. Increase internal encryption

Question 9

Executive leadership is unaware of rising control failure trends.

What is the PRIMARY governance issue?

1. Encryption weakness
2. Inadequate program communication and escalation
3. Vendor inefficiency
4. Reduced automation

Question 10

Security invests heavily in advanced tools but experiences high staff turnover and weak control testing.

What is the MOST significant underlying issue?

1. Imbalance between people, process, and technology
2. Encryption gap
3. Vendor inefficiency
4. Monitoring frequency

Section B Pattern Summary

In Domain 3 Section B:

• Controls must be proportional.
• Implementation must follow governance.
• Testing validates effectiveness.
• Awareness strengthens culture.
• Vendors require lifecycle oversight.
• Reporting drives accountability.

CISM rewards disciplined execution — not technical enthusiasm.