CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 18)

Page 17 of 430
PDF with 1716 Questions

At what stage of the applications development process should the security department initially become involved?

  1. When requested
  2. At testing
  3. At programming
  4. At detail requirements

Answer(s): D

Explanation:

Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process.



A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?

  1. Examples of genuine incidents at similar organizations
  2. Statement of generally accepted best practices
  3. Associating realistic threats to corporate objectives
  4. Analysis of current technological exposures

Answer(s): C

Explanation:

Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.



The PRIMARY concern of an information security manager documenting a formal data retention policy would be:

  1. generally accepted industry best practices.
  2. business requirements.
  3. legislative and regulatory requirements.
  4. storage availability.

Answer(s): B

Explanation:

The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided



When personal information is transmitted across networks, there MUST be adequate controls over:

  1. change management.
  2. privacy protection.
  3. consent to data transfer.
  4. encryption devices.

Answer(s): B

Explanation:

Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and, therefore, is a partial answer.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts