All About CISM book Sep 2017

CISM Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library!

Download CISM Dumps Free

Proper study guides for Leading Isaca Certified Information Security Manager certified begins with Isaca CISM preparation products which designed to deliver the Downloadable CISM questions by making you pass the CISM test at your first time. Try the free CISM demo right now.

If you would certainly such as to recognize more concerning CISM exam, call us or merely visit us at our internet 2PASSEASY.COM site.

Q46. An information security program should be sponsored by: 

A. infrastructure management. 

B. the corporate audit department. 

C. key business process owners. 

D. information security management. 



The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority. 

Q47. Successful implementation of information security governance will FIRST require: 

A. security awareness training. 

B. updated security policies. 

C. a computer incident management team. 

D. a security architecture. 



Updated security policies are required to align management objectives with security procedures; management objectives translate into policy, policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms. 

Q48. Investments in information security technologies should be based on: 

A. vulnerability assessments. 

B. value analysis. 

C. business climate. 

D. audit recommendations. 



Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified. 

Q49. The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is: 

A. Secure Sockets Layer (SSL). 

B. Secure Shell (SSH). 

C. IP Security (IPSec). 

D. Secure/Multipurpose Internet Mail Extensions (S/MIME ). 



Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business's web server and remain confidential. SSH File Transfer Protocol (SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of e-mail encapsulated in MIME; it is not a web transaction protocol. 

Q50. During which phase of development is it MOST appropriate to begin assessing the risk of a new application system? 

A. Feasibility 

B. Design 

C. Development 

D. Testing 



Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design, development or testing phases is not the best solution. 

Q51. Which of (lie following would be the MOST relevant factor when defining the information 

classification policy? 

A. Quantity of information 

B. Available IT infrastructure 

C. Benchmarking 

D. Requirements of data owners 



When defining the information classification policy, the requirements of the data owners need to be identified. The quantity of information, availability of IT infrastructure and benchmarking may be part of the scheme after the fact and would be less relevant. 

Q52. To justify its ongoing security budget, which of the following would be of MOST use to the information security' department? 

A. Security breach frequency 

B. Annualized loss expectancy (ALE) 

C. Cost-benefit analysis 

D. Peer group comparison 



Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization. 

Q53. Information security projects should be prioritized on the basis of: 

A. time required for implementation. 

B. impact on the organization. 

C. total cost for implementation. 

D. mix of resources required. 

Answer: B Explanation: 

Information security projects should be assessed on the basis of the positive impact that they will have on the organization. Time, cost and resource issues should be subordinate to this objective. 

Q54. Which of the following roles would represent a conflict of interest for an information security manager? 

A. Evaluation of third parties requesting connectivity 

B. Assessment of the adequacy of disaster recovery plans 

C. Final approval of information security policies 

D. Monitoring adherence to physical security controls 



Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest. 

Q55. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: 

A. meet with stakeholders to decide how to comply. 

B. analyze key risks in the compliance process. 

C. assess whether existing controls meet the regulation. 

D. update the existing security/privacy policy. 



If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap. 

Q56. In implementing information security governance, the information security manager is PRIMARILY responsible for: 

A. developing the security strategy. 

B. reviewing the security strategy. 

C. communicating the security strategy. 

D. approving the security strategy 



The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy. 

Q57. Which of the following is the MOST important element of an information security strategy? 

A. Defined objectives 

B. Time frames for delivery 

C. Adoption of a control framework 

D. Complete policies 



Without defined objectives, a strategy—the plan to achieve objectives—cannot be developed. Time frames for delivery are important but not critical for inclusion in the strategy document. Similarly, the adoption of a control framework is not critical to having a successful information security strategy. Policies are developed subsequent to, and as a part of, implementing a strategy. 

Q58. A risk mitigation report would include recommendations for: 

A. assessment. 

B. acceptance 

C. evaluation. 

D. quantification. 



Acceptance of a risk is an alternative to be considered in the risk mitigation process. Assessment. evaluation and risk quantification are components of the risk analysis process that are completed prior to determining risk mitigation solutions. 

Q59. Which of the following is the MOST usable deliverable of an information security risk analysis? 

A. Business impact analysis (BIA) report 

B. List of action items to mitigate risk 

C. Assignment of risks to process owners 

D. Quantification of organizational risk 



Although all of these are important, the list of action items is used to reduce or transfer the current level of risk. The other options materially contribute to the way the actions are implemented. 

Q60. The MOST important characteristic of good security policies is that they: 

A. state expectations of IT management. 

B. state only one general security mandate. 

C. are aligned with organizational goals. 

D. govern the creation of procedures and guidelines. 



The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards.