CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 33)

Page 33 of 430
PDF with 1716 Questions

The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?

  1. Laws and regulations of the country of origin may not be enforceable in the foreign country.
  2. A security breach notification might get delayed due to the time difference.
  3. Additional network intrusion detection sensors should be installed, resulting in an additional cost.
  4. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.

Answer(s): A

Explanation:

A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.



Effective IT governance is BEST ensured by:

  1. utilizing a bottom-up approach.
  2. management by the IT department.
  3. referring the matter to the organization's legal department.
  4. utilizing a top-down approach.

Answer(s): D

Explanation:

Effective IT governance needs to be a top-down initiative, with the board and executive management setting clear policies, goals and objectives and providing for ongoing monitoring of the same. Focus on the regulatory issues and management priorities may not be reflected effectively by a bottom-up approach. IT governance affects the entire organization and is not a matter concerning only the management of IT. The legal department is part of the overall governance process, but cannot take full responsibility.



The FIRST step to create an internal culture that focuses on information security is to:

  1. implement stronger controls.
  2. conduct periodic awareness training.
  3. actively monitor operations.
  4. gain the endorsement of executive management.

Answer(s): D

Explanation:

Endorsement of executive management in the form of policies provides direction and awareness. The implementation of stronger controls may lead to circumvention. Awareness training is important, but must be based on policies. Actively monitoring operations will not affect culture at all levels.



Which of the following is the BEST method or technique to ensure the effective implementation of aninformation security program?

  1. Obtain the support of the board of directors.
  2. Improve the content of the information security awareness program.
  3. Improve the employees' knowledge of security policies.
  4. Implement logical access controls to the information systems.

Answer(s): A

Explanation:

It is extremely difficult to implement an information security program without the aid and support of the board of directors. If they do not understand the importance of security to the achievement of the business objectives, other measures will not be sufficient. Options B and (' are measures proposed to ensure the efficiency of the information security program implementation, but are of less significance than obtaining the aid and support of the board of directors. Option D is a measure to secure the enterprise information, but by itself is not a measure to ensure the broader effectiveness of an information security program.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts