CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 26)

Page 25 of 430
PDF with 1716 Questions

The MOST useful way to describe the objectives in the information security strategy is through:

  1. attributes and characteristics of the 'desired state."
  2. overall control objectives of the security program.
  3. mapping the IT systems to key business processes.
  4. calculation of annual loss expectations.

Answer(s): A

Explanation:

Security strategy will typically cover a wide variety of issues, processes, technologies and outcomes that can best be described by a set of characteristics and attributes that are desired. Control objectives are developed after strategy and policy development. Mapping IT systems to key business processes does not address strategy issues. Calculation of annual loss expectations would not describe the objectives in the information security strategy.



In order to highlight to management, the importance of network security, the security manager should FIRST:

  1. develop a security architecture.
  2. install a network intrusion detection system (NIDS) and prepare a list of attacks.
  3. develop a network security policy.
  4. conduct a risk assessment.

Answer(s): D

Explanation:

A risk assessment would be most helpful to management in understanding at a very high level the threats, probabilities and existing controls. Developing a security architecture, installing a network intrusion detection system (NIDS) and preparing a list of attacks on the network and developing a network security policy would not be as effective in highlighting the importance to management and would follow only after performing a risk assessment.



When developing an information security program, what is the MOST useful source of information for determining available resources?

  1. Proficiency test
  2. Job descriptions
  3. Organization chart
  4. Skills inventory

Answer(s): D

Explanation:

A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.



The MOST important characteristic of good security policies is that they:

  1. state expectations of IT management.
  2. state only one general security mandate.
  3. are aligned with organizational goals.
  4. govern the creation of procedures and guidelines.

Answer(s): C

Explanation:

The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts