10 Tips For CISM IT candidates

High value of CISM exam engine materials and tutorials for Isaca certification for IT engineers, Real Success Guaranteed with Updated CISM pdf dumps vce Materials. 100% PASS Certified Information Security Manager exam Today!

2017 Jan CISM exam guide

Q11. The MOST important characteristic of good security policies is that they: 

A. state expectations of IT management. 

B. state only one general security mandate. 

C. are aligned with organizational goals. 

D. govern the creation of procedures and guidelines. 



The most important characteristic of good security policies is that they be aligned with organizational goals. Failure to align policies and goals significantly reduces the value provided by the policies. Stating expectations of IT management omits addressing overall organizational goals and objectives. Stating only one general security mandate is the next best option since policies should be clear; otherwise, policies may be confusing and difficult to understand. Governing the creation of procedures and guidelines is most relevant to information security standards. 

Q12. What is the MAIN risk when there is no user management representation on the Information Security Steering Committee? 

A. Functional requirements are not adequately considered. 

B. User training programs may be inadequate. 

C. Budgets allocated to business units are not appropriate. 

D. Information security plans are not aligned with business requirements 



The steering committee controls the execution of the information security strategy, according to the needs of the organization, and decides on the project prioritization and the execution plan. User management is an important group that should be represented to ensure that the information security plans are aligned with the business needs. Functional requirements and user training programs are considered to be part of the projects but are not the main risks. The steering committee does not approve budgets for business units. 

Q13. To ensure that payroll systems continue on in an event of a hurricane hitting a data center, what would be the FIRS T crucial step an information security manager would take in ensuring business continuity planning? 

A. Conducting a qualitative and quantitative risk analysis. 

B. Assigning value to the assets. 

C. Weighing the cost of implementing the plan vs. financial loss. 

D. Conducting a business impact analysis (BIA). 



BIA is an essential component of an organization's business continuity plan; it includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. It is the first crucial step in business continuity planning. Qualitative and quantitative risk analysis will have been completed to define the dangers to individuals, businesses and government agencies posed by potential natural and human-caused adverse events. Assigning value to assets is part of the BIA process. Weighing the cost of implementing the plan vs. financial loss is another part of the BIA. 

Q14. An information security program should be sponsored by: 

A. infrastructure management. 

B. the corporate audit department. 

C. key business process owners. 

D. information security management. 



The information security program should ideally be sponsored by business managers, as represented by key business process owners. Infrastructure management is not sufficiently independent and lacks the necessary knowledge regarding specific business requirements. A corporate audit department is not in as good a position to fully understand how an information security program needs to meet the needs of the business. Audit independence and objectivity will be lost, impeding traditional audit functions. Information security implements and executes the program. Although it should promote it at all levels, it cannot sponsor the effort due to insufficient operational knowledge and lack of proper authority. 

Q15. The chief information security officer (CISO) should ideally have a direct reporting relationship to the: 

A. head of internal audit. 

B. chief operations officer (COO). 

C. chief technology officer (CTO). 

D. legal counsel. 



The chief information security officer (CISO) should ideally report to as high a level within the organization as possible. Among the choices given, the chief operations officer (COO) would have not only the appropriate level but also the knowledge of day-to-day operations. The head of internal audit and legal counsel would make good secondary choices, although they would not be as knowledgeable of the operations. Reporting to the chief technology officer (CTO) could become problematic as the CTO's goals for the infrastructure might, at times, run counter to the goals of information security. 

Avant-garde CISM exams:

Q16. Which of the following is the MOST effective solution for preventing internal users from modifying sensitive and classified information? 

A. Baseline security standards 

B. System access violation logs 

C. Role-based access controls 

D. Exit routines 



Role-based access controls help ensure that users only have access to files and systems appropriate for their job role. Violation logs are detective and do not prevent unauthorized access. Baseline security standards do not prevent unauthorized access. Exit routines are dependent upon appropriate role-based access. 

Q17. There is a time lag between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period? 

A. Identify the vulnerable systems and apply compensating controls 

B. Minimize the use of vulnerable systems 

C. Communicate the vulnerability to system users 

D. Update the signatures database of the intrusion detection system (IDS) 



The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to system users could be compensating controls but would not be the first course of action. Choice D does not make clear the timing of when the intrusion detection system (IDS) signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option. 

Q18. Which of the following situations would MOST inhibit the effective implementation of security governance: 

A. The complexity of technology 

B. Budgetary constraints 

C. Conflicting business priorities 

D. High-level sponsorship 



The need for senior management involvement and support is a key success factor for the implementation of appropriate security governance. Complexity of technology, budgetary constraints and conflicting business priorities are realities that should be factored into the governance model of the organization, and should not be regarded as inhibitors. 

Q19. The PRIMARY benefit of performing an information asset classification is to: 

A. link security requirements to business objectives. 

B. identify controls commensurate to risk. 

C. define access rights. 

D. establish ownership. 



All choices are benefits of information classification. However, identifying controls that are proportional to the risk in all cases is the primary benefit of the process. 

Q20. Minimum standards for securing the technical infrastructure should be defined in a security: 

A. strategy. 

B. guidelines. 

C. model. 

D. architecture. 



Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components. 

see more CISM dumps