CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 17)

Page 16 of 430
PDF with 1716 Questions

An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:

  1. corporate data privacy policy.
  2. data privacy policy where data are collected.
  3. data privacy policy of the headquarters' country.
  4. data privacy directive applicable globally.

Answer(s): B

Explanation:

As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.



A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:

  1. meet with stakeholders to decide how to comply.
  2. analyze key risks in the compliance process.
  3. assess whether existing controls meet the regulation.
  4. update the existing security/privacy policy.

Answer(s): C

Explanation:

If the organization is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. The other choices are appropriate and important; however, they are actions that are subsequent and will depend on whether there is an existing control gap.



The PRIMARY objective of a security steering group is to:

  1. ensure information security covers all business functions.
  2. ensure information security aligns with business goals.
  3. raise information security awareness across the organization.
  4. implement all decisions on security management across the organization.

Answer(s): B

Explanation:

The security steering group comprises senior management of key business functions and has the primary objective to align the security strategy with the business direction. Option A is incorrect because all business areas may not be required to be covered by information security; but, if they do, the main purpose of the steering committee would be alignment more so than coverage. While raising awareness is important, this goal would not be carried out by the committee itself. The steering committee may delegate part of the decision making to the information security manager; however, if it retains this authority, it is not the primary' goal.



Data owners must provide a safe and secure environment to ensure confidentiality, integrity and availability of the transaction. This is an example of an information security:

  1. baseline.
  2. strategy.
  3. procedure.
  4. policy.

Answer(s): D

Explanation:

A policy is a high-level statement of an organization's beliefs, goals, roles and objectives. Baselines assume a minimum security level throughout an organization. The information security strategy aligns the information security program with business objectives rather than making control statements. A procedure is a step-by- step process of how policy and standards will be implemented.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts