CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 34)

Page 34 of 430
PDF with 1716 Questions

When an organization is implementing an information security governance program, its board of directors should be responsible for:

  1. drafting information security policies.
  2. reviewing training and awareness programs.
  3. setting the strategic direction of the program.
  4. auditing for compliance.

Answer(s): C

Explanation:

A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.



A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BEST approach of the information security manager?

  1. Acceptance of the business manager's decision on the risk to the corporation
  2. Acceptance of the information security manager's decision on the risk to the corporation
  3. Review of the assessment with executive management for final input
  4. A new risk assessment and BIA are needed to resolve the disagreement

Answer(s): C

Explanation:

Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process.



Who is responsible for ensuring that information is categorized and that specific protective measures are taken?

  1. The security officer
  2. Senior management
  3. The end user
  4. The custodian

Answer(s): B

Explanation:

Routine administration of all aspects of security is delegated, but top management must retain overall responsibility. The security officer supports and implements information security for senior management. The end user does not perform categorization. The custodian supports and implements information security measures as directed.



An organization's board of directors has learned of recent legislation requiring organizations within the industry to enact specific safeguards to protect confidential customer information. What actions should the board take next?

  1. Direct information security on what they need to do
  2. Research solutions to determine the proper solutions
  3. Require management to report on compliance
  4. Nothing; information security does not report to the board

Answer(s): C

Explanation:

Information security governance is the responsibility of the board of directors and executive management. In this instance, the appropriate action is to ensure that a plan is in place for implementation of needed safeguards and to require updates on that implementation.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts