CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 15)

Page 14 of 430
PDF with 1716 Questions

Reviewing which of the following would BEST ensure that security controls are effective?

  1. Risk assessment policies
  2. Return on security investment
  3. Security metrics
  4. User access rights

Answer(s): C

Explanation:

Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.



Which of the following is responsible for legal and regulatory liability?

  1. Chief security officer (CSO)
  2. Chief legal counsel (CLC)
  3. Board and senior management
  4. Information security steering group

Answer(s): C

Explanation:

The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.



While implementing information security governance an organization should FIRST:

  1. adopt security standards.
  2. determine security baselines.
  3. define the security strategy.
  4. establish security policies.

Answer(s): C

Explanation:

The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.



The MOST basic requirement for an information security governance program is to:

  1. be aligned with the corporate business strategy.
  2. be based on a sound risk management approach.
  3. provide adequate regulatory compliance.
  4. provide best practices for security- initiatives.

Answer(s): A

Explanation:

To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts