CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 14)

Page 13 of 430
PDF with 1716 Questions

An information security manager at a global organization that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

  1. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
  2. establish baseline standards for all locations and add supplemental standards as required.
  3. bring all locations into conformity with a generally accepted set of industry best practices.
  4. establish a baseline standard incorporating those requirements that all jurisdictions have in common.

Answer(s): B

Explanation:

It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements. Seeking a lowest common denominator or just using industry best practices may cause certain locations to fail regulatory compliance. The opposite approach—forcing all locations to be in compliance with the regulations places an undue burden on those locations.



Which of the following BEST describes an information security manager's role in a multidisciplinary team that will address a new regulatory requirement regarding operational risk?

  1. Ensure that all IT risks are identified
  2. Evaluate the impact of information security risks
  3. Demonstrate that IT mitigating controls are in place
  4. Suggest new IT controls to mitigate operational risk

Answer(s): B

Explanation:

The job of the information security officer on such a team is to assess the risks to the business operation. Choice A is incorrect because information security is not limited to IT issues. Choice C is incorrect because at the time a team is formed to assess risk, it is premature to assume that any demonstration of IT controls will mitigate business operations risk. Choice D is incorrect because it is premature at the time of the formation of the team to assume that any suggestion of new IT controls will mitigate business operational risk.



From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?

  1. Enhanced policy compliance
  2. Improved procedure flows
  3. Segregation of duties
  4. Better accountability

Answer(s): D

Explanation:

Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct. Choice B is incorrect because people can be assigned to execute procedures that are not well designed. Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.



An internal audit has identified major weaknesses over IT processing. Which of the following should an information security manager use to BEST convey a sense of urgency to management?

  1. Security metrics reports
  2. Risk assessment reports
  3. Business impact analysis (BIA)
  4. Return on security investment report

Answer(s): B

Explanation:

Performing a risk assessment will allow the information security manager to prioritize the remedial measures and provide a means to convey a sense of urgency to management. Metrics reports are normally contained within the methodology of the risk assessment to give it credibility and provide an ongoing tool. The business impact analysis (BIA) covers continuity risks only. Return on security investment cannot be determined until a plan is developed based on the BIA.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts