Exam CISM topic 1 question 109 discussion

The correct answer is D: Standards The reason for this as followed: (a) Security policies - dictate what must be done, but not how. This leaves it open to interpretation and thus the possibilities for inconsistencies. (b) Automated Control do make things consistent, but this is not the security manager's role. This is a tech solution. (c) Guidelines are suggestions, not mandatory things to do, and thus can result in inconsistencies. (d) Standard make things mandatory and consistent. Thus why it's the correct answer.

Policies should not include procedures (that question comes up routinely). Uniformity of creating user accounts would be listed under a procedure.

I believe it’s policy. In the policy it should state that standards should be developed to achieve consistency in configurations. If that is not in the policy, then the standard may not even exist.

This is one of the main differences between a policy and standard: Policies act as a statement of intent, while standards function as rules to achieve that intent.

D. standards provide the specific instructions needed to ensure that user account setups are performed uniformly, making them the most important aspect to review in this situation. Once standards are established and enforced, policies, automated controls, and guidelines can complement them in maintaining a robust security posture.

I believe A. The policies should provide the proper guidance as whether the nonuniformity is acceptable or not. Any exceptions to the policies should have undergo a proper exception process. This is also true when we do our audits. We normally trace any deficiencies we note in our testing back to the audit client's policies to validate.

A. Security policies When a recent audit reveals that new user accounts are not set up uniformly, the most important area for the information security manager to review is the organization's security policies. Security policies provide the overarching guidelines and directives for establishing and managing user accounts in a consistent and secure manner.

D. Standards

Standards give details on how to achieve policy compliance

The most important thing for the information security manager to review in this case is the security policies.

Standards are specific technical applications of something to be implemented. For example you will make accounts utilizing XYZ. Policies are vague and do not have technical jargon. For example "Sensitive data must be protected" is something in a policy. If you changed it to say "Sensitive data will be protected using high end encryption and MFA" that's a standard

Security policies are the MOST important for the information security manager to review when a recent audit found that an organization's new user accounts are not set up uniformly.

This is about proper configurations. So its D. Standards: An organization’s security standards describe, in detail, the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organization. Gregory, Peter H.; Gregory, Peter H.. CISM Certified Information Security Manager Bundle (p. 115). McGraw Hill LLC. Kindle Edition.

Standards are specific and measurable guidelines that establish a common framework for implementing security controls. They provide a set of rules that all users must follow when creating new user accounts, ensuring uniformity and consistency across the organization. Standards also help to ensure compliance with legal and regulatory requirements, as well as industry best practices

logic for A is top down approach on documentation..... Logic for D is bottom up on documentation... Documentation should follow the waterfall down so I can't understand why standards (D) are the answer

I think it should be A. Security Policies. Security policies define the security requirements and standards for the organization, and ensure that all employees are following the same procedures for new user accounts