CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 25)

Page 24 of 430
PDF with 1716 Questions

In implementing information security governance, the information security manager is PRIMARILY responsible for:

  1. developing the security strategy.
  2. reviewing the security strategy.
  3. communicating the security strategy.
  4. approving the security strategy

Answer(s): A

Explanation:

The information security manager is responsible for developing a security strategy based on business objectives with the help of business process owners. Reviewing the security strategy is the responsibility of a steering committee. The information security manager is not necessarily responsible for communicating or approving the security strategy.



An information security strategy document that includes specific links to an organization's business activities is PRIMARILY an indicator of:

  1. performance measurement.
  2. integration.
  3. alignment.
  4. value delivery.

Answer(s): C

Explanation:

Strategic alignment of security with business objectives is a key indicator of performance measurement. In guiding a security program, a meaningful performance measurement will also rely on an understanding of business objectives, which will be an outcome of alignment. Business linkages do not by themselves indicate integration or value delivery. While alignment is an important precondition, it is not as important an indicator.



When an organization is setting up a relationship with a third-party IT service provider, which of the following is one of the MOST important topics to include in the contract from a security standpoint?

  1. Compliance with international security standards.
  2. Use of a two-factor authentication system.
  3. Existence of an alternate hot site in case of business disruption.
  4. Compliance with the organization's information security requirements.

Answer(s): D

Explanation:

Prom a security standpoint, compliance with the organization's information security requirements is one of the most important topics that should be included in the contract with third-party service provider. The scope of implemented controls in any ISO 27001-compliant organization depends on the security requirements established by each organization. Requiring compliance only with this security standard does not guarantee that a service provider complies with the organization's security requirements. The requirement to use a specific kind of control methodology is not usually stated in the contract with third- party service providers.



To justify the need to invest in a forensic analysis tool, an information security manager should FIRST:

  1. review the functionalities and implementation requirements of the solution.
  2. review comparison reports of tool implementation in peer companies.
  3. provide examples of situations where such a tool would be useful.
  4. substantiate the investment in meeting organizational needs.

Answer(s): D

Explanation:

Any investment must be reviewed to determine whether it is cost effective and supports the organizational strategy. It is important to review the features and functionalities provided by such a tool, and to provide examples of situations where the tool would be useful, but that comes after substantiating the investment and return on investment to the organization.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts