CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 9)

Page 8 of 430
PDF with 1716 Questions

Which of the following would be the MOST important goal of an information security governance program?

  1. Review of internal control mechanisms
  2. Effective involvement in business decision making
  3. Total elimination of risk factors
  4. Ensuring trust in data

Answer(s): D

Explanation:

The development of trust in the integrity of information among stakeholders should be the primary goal of information security governance. Review of internal control mechanisms relates more to auditing, while the total elimination of risk factors is not practical or possible. Proactive involvement in business decision making implies that security needs dictate business needs when, in fact, just the opposite is true. Involvement in decision making is important only to ensure business data integrity so that data can be trusted.



Relationships among security technologies are BEST defined through which of the following?

  1. Security metrics
  2. Network topology
  3. Security architecture
  4. Process improvement models

Answer(s): C

Explanation:

Security architecture explains the use and relationships of security mechanisms. Security metrics measure improvement within the security practice but do not explain the use and relationships of security technologies.

Process improvement models and network topology diagrams also do not describe the use and relationships of these technologies.



A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?

  1. Enforce the existing security standard
  2. Change the standard to permit the deployment
  3. Perform a risk analysis to quantify the risk
  4. Perform research to propose use of a better technology

Answer(s): C

Explanation:

Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be given without conducting such an analysis. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risks they present. Standards should not be changed without an appropriate risk assessment.



Acceptable levels of information security risk should be determined by:

  1. legal counsel.
  2. security management.
  3. external auditors.
  4. die steering committee.

Answer(s): D

Explanation:

Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts