REAL QUESTIONS SUBMIT MATERIAL ADVERTISE
Braindumps

Microsoft

Cisco

Citrix

CIW

CompTia

CWNA

Apple

Adobe

HP

Legato

Exin

Filemaker

Brocade

Ericsson

TIA

Veritas

ISEB

SCP

IISFA

ISM

OMG

Apc

Mile2

Foundry

Huawei

McData

Symantec

TeraData

RedHat

Solar Winds

Blue Coat

Riverbed

 

 
 
Click on name of dumper to view the dump
 
Alexander
 
 

Braindumps of CISM
CISM Certified Information Security Manager

 


Hi to all and thanks to www.exams.ws and www.4exam.com But there’s no need to have it from both of them, only questions from only one are sufficient I think. Here is my contribution.
 


QUESTION NO: 1
Senior management commitment and support for information security can BEST be obtained through presentations that:
A. use illustrative examples of successful attacks.
B. explain the technical risks to the organization.
C. evaluate the organization against best security practices.
D. tie security risks to key business objectives.
Answer: D
Explanation:
Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.
Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives.
QUESTION NO: 2
Which of the following is characteristic of centralized information security management?
A. More expensive to administer
B. Better adherence to policies
C. More aligned with business unit needs
D. Faster turnaround of requests
Answer: B
Explanation:
Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However, turnaround can be slower due to the lack of alignment with business units.
QUESTION NO: 3
The MOST important component of a privacy policy is:
A. notifications
B. warranties
C. liabilities
D. geographic coverage
Answer: A
Explanation:
Privacy policies must contain notifications and opt-out provisions; they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.
QUESTION NO: 4
It is MOST important that information security architecture be aligned with which of the following?
A. Industry best practices
B. Information technology plans
C. Information security best practices
D. Business objectives and goals
Answer: D
Explanation:
Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison.
QUESTION NO: 5
Security technologies should be selected PRIMARILY on the basis of their:
A. ability to mitigate business risks
B. evaluations in trade publications
C. use of new and emerging technologies
D. benefits in comparison to their costs
Answer: A
Explanation:
The most fundamental evaluation criteria for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications.
QUESTION NO: 6
What will have the HIGHEST impact on standard information security governance models?
A. Number of employees
B. Distance between physical locations
C. Complexity of organizational structure
D. Organizational budget
Answer: C
Explanation:
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance.
Organizational budget is not a major impact once good governance models are in place, hence governance will help in effective management of the organization's budget.
QUESTION NO: 7
The PRIMARY goal in developing an information security strategy is to:
A. establish security metrics and performance monitoring.
B. educate business process owners regarding their duties.
C. ensure that legal and regulatory requirements are met.
D. support the business objectives of the organization.
Answer: D
Explanation:
The business objectives of the organization supersede all other factors.
Establishing metrics and measuring performance, meeting legal and regulatory requirements, and educating business process owners are all subordinate to this overall goal.
QUESTION NO: 8
What is the PRIMARY role of the information security manager in the process of information classification within an organization?
A. Defining and ratifying the classification structure of information assets
B. Deciding the classification levels applied to the organization's information assets
C. Securing information assets in accordance with their classification
D. Checking if information assets have been classified properly
Answer: A
Explanation:
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization.
Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
QUESTION NO: 9
An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:
A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
B. establish baseline standards for all locations and add supplemental standards as required.
C. bring all locations into conformity with a generally accepted set of industry best practices.
D. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
Answer: B
Explanation:
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approach-forcing all locations to be in compliance with the regulations-places an undue burden on those locations.
QUESTION NO: 10
Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?
A. Ensure that all IT risks are identified
B. Evaluate the impact of information security risks
C. Demonstrate that IT mitigating controls are in place
D. Suggest new IT controls to mitigate operational risk
Answer: B
Explanation:
The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.
QUESTION NO: 11
From an information security manager perspective, what is the immediate benefit of clearlydefined roles and responsibilities?
A. Enhanced policy compliance
B. Improved procedure flows
C. Segregation of duties
D. Better accountability
Answer: D
Explanation:
Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.
QUESTION NO: 12
An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?
A. Security metrics reports
B. Risk assessment reports
C. Business impact analysis (BIA)
D. Return on security investment report
Answer: B
Explanation:
Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.
QUESTION NO: 13
Which of the following is responsible for legal and regulatory liability?
A. Chief security officer (CSO)
B. Chief legal counsel (CLC)
C. Board and senior management
D. Information security steering group
Answer: C
Explanation:
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
QUESTION NO: 14
Who in an organization has the responsibility for classifying information?
A. Data custodian
B. Database administrator
C. Information security officer
D. Data owner
Answer: D
Explanation:
The data owner has full responsibility over data. The data custodian is responsible for securing the information. The database administrator carries out the technical administration. The information security officer oversees the overall classification management of the information.
QUESTION NO: 15
Logging is an example of which type of defense against systems compromise?
A. Containment
B. Detection
C. Reaction
D. Recovery
Answer: B
Explanation:
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
QUESTION NO: 16
Which of the following is MOST important in developing a security strategy?
A. Creating a positive business security environment
B. Understanding key business objectives
C. Having a reporting line to senior management
D. Allocating sufficient resources to information security
Answer: B
Explanation:
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
QUESTION NO: 17
Which of the following factors is a primary driver for information security governance that does not require any further justification?
A. Alignment with industry best practices
B. Business continuity investment
C. Business benefits
D. Regulatory compliance
Answer: D
Explanation:
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
QUESTION NO: 18
A security manager meeting the requirements for the international flow of personal data will need to ensure:
A. a data processing agreement.
B. a data protection registration.
C. the agreement of the data subjects.
D. subject access procedures.
Answer: C
Explanation:
Whenever personal data are transferred across national boundaries; the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
QUESTION NO: 19
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
A. prepare a security budget.
B. conduct a risk assessment.
C. develop an information security policy.
D. obtain benchmarking information.
Answer: B
Explanation:
Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment.
QUESTION NO: 20
Temporarily deactivating some monitoring processes, even if supported by an acceptance of operational risk, may not be acceptable to the information security manager if:
A. it implies compliance risks.
B. short-term impact cannot be determined.
C. it violates industry security practices.
D. changes in the roles matrix cannot be detected.
Answer: A
Explanation:
Monitoring processes are also required to guarantee fulfillment of laws and regulations of the organization and, therefore, the information security manager will be obligated to comply with the law. Choices B and C are evaluated as part of the operational risk. Choice D is unlikely to be as critical a breach of regulatory legislation. The acceptance of operational risks overrides choices B, C and D.
QUESTION NO: 21
How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation?
A. Give organization standards preference over local regulations
B. Follow local regulations only
C. Make the organization aware of those standards where local regulations causes conflicts
D. Negotiate a local version of the organization standards
Answer: D
Explanation:
Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since there needs to be some recognition of organization requirements.
Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation.
QUESTION NO: 22
What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?
A. Risk assessment report
B. Technical evaluation report
C. Business case
D. Budgetary requirements
Answer: C
Explanation:
The information security manager needs to prioritize the controls based on risk management and the requirements of the organization. The information security manager must look at the costs of the various controls and compare them against the benefit the organization will receive from the security solution. The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits of the various controls. All other choices are supplemental.
QUESTION NO: 23
To achieve effective strategic alignment of security initiatives, it is important that:
A. steering committee leadershipbe selected by rotation.
B. inputs be obtained and consensus achieved between the major organizational units.
C. the business strategybe updated periodically.
D. procedures and standardsbe approved by all departmental heads.
Answer: B
Explanation:
It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization. Rotation of steering committee leadership does not help in achieving strategic alignment. Updating business strategy does not lead to strategic alignment of security initiatives. Procedures and standards need not be approved by all departmental heads
QUESTION NO: 24
Which of the following will BEST protect an organization from internal security attacks?
A. Static IP addressing
B. Internal address translation
C. Prospective employee background checks
D. Employee awareness certification program
Answer: C
Explanation:
Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization. Static IP addressing does little to prevent an internal attack.
Internal address translation using nonroutable addresses is useful against external attacks but not against internal attacks. Employees who certify that they have read security policies are desirable, but this does not guarantee that the employees behave honestly.
QUESTION NO: 25
Acceptable risk is achieved when:
A. residual risk is minimized.
B. transferred risk is minimized.
C. control risk is minimized.
D. inherent risk is minimized.
Answer: A
Explanation:
Residual risk is the risk that remains after putting into place an effective risk management program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is risk that has been assumed by a third party and may not necessarily be equal to the minimal form of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a measure of control effectiveness.
Inherent risk cannot be minimized.
QUESTION NO: 26
Which of the following results from the risk assessment process would BEST assist risk management decision making?
A. Control risk
B. Inherent risk
C. Risk exposure
D. Residual risk
Answer: D
Explanation:
Residual risk provides management with sufficient information to decide on the level of risk that an organization is willing to accept. Control risk is the risk that a control may not succeed in preventing an undesirable event. Risk exposure is the likelihood of an undesirable event occurring.
Inherent risk is an important factor to be considered during the risk assessment.
QUESTION NO: 27
Risk management programs are designed to reduce risk to:
A. a level that is too small to be measurable.
B. the point at which the benefit exceeds the expense.
C. a level that the organization is willing to accept.
D. a rate of return that equals the current cost of capital.
Answer: C
Explanation:
Risk should be reduced to a level that an organization is willing to accept.
Reducing risk to a level too small to measure is impractical and is often cost-prohibitive.
To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Therefore, choice C is a more precise Answer.
QUESTION NO: 28
A risk assessment should be conducted:
A. once a year for each business process andsubprocess.
B. every three-to-six months for critical business processes.
C. by external parties to maintain objectivity.
D. annually or whenever there is a significant change.
Answer: D
Explanation:
Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change.
Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties.


CISM

 

 

 

Braindumps Real exam questions and verified answers - 100% passing guarantee - cheap prices.

 

Free brain dumps Braindumps, notes, books for free

 

Braindumps and Exams - Instant download real exam questions - Passing guarantee.

Follow us on FaceBook
Braindumps on Facebook
 
 
 
 
 

CheckPoint

Linux

Novell

DB/2

Network Appliance

EC-Council

Nortel

McAfee

Juniper

ISACA

PMI

Sybase

EMC

HDI

SNIA

ISC

Sair

IBM

Lotus

Exam Express

3COM

BICSI

DeLL

Enterasys

Extreme Networks

Guidance Software

Computer Associates

Network General

SAS Institute

Alcatel Lucent

SeeBeyond

TruSecure

Polycom

Hyperion

Hitachi

Nokia

Fortinet

Vmware

Fujitsu

Tibco

Intel

PostgreSQLCE

BusinessObjects

RESSoftware

BlackBerry

AccessData

ICDL

Isilon

SAP

The Open Group

ACSM

Altiris

Avaya

Cognos

F5

Genesys

SDI

ACI

ASQ

Google

H3C

HIPAA

HRCI

SOA

IIBA

Zend