Exam Name: Certified Information Security Manager



Similar documents
CISM (Certified Information Security Manager) Document version:

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Test du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks

Exam Name: Certified Information Security Manager

CISM ITEM DEVELOPMENT GUIDE

Feature. Developing an Information Security and Risk Management Strategy

How To Write A Compensation Committee

Domain 1 The Process of Auditing Information Systems

COMMUNIQUE. Information Technology (IT) Governance Guidance

INFORMATION SECURITY STRATEGIC PLAN

The Business Continuity Maturity Continuum

Information Security Program CHARTER

Certified Information Security Manager (CISM)

Business Continuity and Disaster Recovery Policy

CISM ITEM DEVELOPMENT GUIDE

The PNC Financial Services Group, Inc. Business Continuity Program

MACQUARIE INFRASTRUCTURE CORPORATION AUDIT COMMITTEE CHARTER

Long Term Data Center Facilities Program

Information Security Governance:

Application for CISM Certification

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

OUTSOURCING DUE DILIGENCE FORM

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

CONTINUITY OF OPERATIONS AUDIT PROGRAM EVALUATION AND AUDIT

ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting

State of Montana. Office Of Public Instruction IT Strategic Plan Executive Summary

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

Trends in Managed Services in Tax Administration

Revised October 2013

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

IT Charter and IT Governance Framework

Internal Auditing Guidelines

INFORMATION TECHNOLOGY PROJECT REQUESTS

Chapter II: Business Continuity Management Organization

PROPOSAL EVALUATION WORKSHEET (INDIVIDUAL) EVALUATION FACTOR: INFORMATION TECHNOLOGY SERVICES PLAN (RATED) Selection Committee

Audit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7, % 2012 Carry Over

The Top 5 Things to Know about Careers in Sustainability

Planning for a Successful Information Governance Program. Kathy Downing, MA, RHIA CHPS,PMP AHIMA Senior Director IG

Internet Banking Internal Control Questionnaire

Program Management Professional (PgMP) Examination Content Outline

Information security governance has become an essential

Enterprise Data Management

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

Global Strategic Sourcing Services

Governance of Outsourced IT Services. Donna Hutcheson, CISA Information Technology Audit Director Energy Future Holdings Corp.

Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014

National Network of Fiscal Sponsors. Guidelines for Comprehensive Fiscal Sponsorship

The Compensation Committee of Directors and Organizational Staff

AMEREN CORPORATION HUMAN RESOURCES COMMITTEE CHARTER PURPOSE AND AUTHORITY

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

NSERC SSHRC AUDIT OF IT SECURITY Corporate Internal Audit Division

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Managing Risk at Bank of America Corporation. Overview

ASAE s Job Task Analysis Strategic Level Competencies

APPLICATION ANNUAL WORK PLAN (ONE OBJECTIVE PER PAGE)

SUPERIOR PLUS CORP. COMPENSATION COMMITTEE MANDATE

Dartmouth College Endowment Investment Policy Statement Updated August 2013

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

CM2206 Business Strategy and Information Systems. Week 9

IT Governance. What is it and how to audit it. 21 April 2009

ISACA. Trust in, and value from, information systems.

Broker-Dealer and Investment Adviser Compliance Programs

FIRST REPUBLIC BANK DIRECTORS ENTERPRISE RISK MANAGEMENT COMMITTEE CHARTER

Information Security Specialist Training on the Basis of ISO/IEC 27002

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

INFORMATION SECURITY Humboldt State University

December, Asset Management Valuation survey

ISACA Privacy Principles and Program Management Guide Preview Yves LE ROUX Principal consultant

State University of New York Charter Renewal Benchmarks Version 5.0, May 2012

SEC Adopts Rules on Compliance Programs for Funds & Advisers

Module 6 Documenting Processes and Controls

Certification and Training

Final. North Carolina Procurement Transformation. Governance Model March 11, 2011

GAO DEPARTMENT OF HOMELAND SECURITY. Actions Taken Toward Management Integration, but a Comprehensive Strategy Is Still Needed

Position Description Questionnaire

Enterprise Risk Management

The Procter & Gamble Company Board of Directors Audit Committee Charter

INFORMATION SYSTEMS SPECIALIST

BPA Policy Contract Lifecycle Management

Enterprise Exchange . Category: Enterprise IT Management Initiatives. State: Nebraska

COMMONWEALTH OF MASSACHUSETTS

Competency Requirements for Executive Director Candidates

Strategies and successes at DHS in persuading data owners to share data for analysis via the Management Cube April 8, 2015

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Quality Assurance Program Plan. July U.S. Department of Energy Office of Legacy Management

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Explore the Possibilities

Project Governance and Enterprise Architecture Go Hand in Hand

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

Information Technology Project Oversight Framework

Cybersecurity in the States 2012: Priorities, Issues and Trends

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

GUIDE TO ERP IMPLEMENTATIONS: WHAT YOU NEED TO CONSIDER

BIO-RAD LABORATORIES, INC. (the Company ) Audit Committee Charter

CITY OF HOUSTON. Executive Order. Information Technology (IT) Governance

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

The Promise and Performance of Enterprise Systems in Higher Education

Transcription:

Vendor: Isaca Exam Code: CISM Exam Name: Certified Information Security Manager Version: DEMO

QUESTION 1 Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing: A. organizational risk. B. organization wide metrics. C. security needs. D. the responsibilities of organizational units. Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified. QUESTION 2 Which of the following roles would represent a conflict of interest for an information security manager? A. Evaluation of third parties requesting connectivity B. Assessment of the adequacy of disaster recovery plans C. Final approval of information security policies D. Monitoring adherence to physical security controls Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest. QUESTION 3 Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? A. The information security department has difficulty filling vacancies. B. The chief information officer (CIO) approves security policy changes. C. The information security oversight committee only meets quarterly. D. The data center manager has final signoff on all security projects. A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good,

qualified information security professionals. QUESTION 4 Which of the following requirements would have the lowest level of priority in information security? A. Technical B. Regulatory C. Privacy D. Business Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities. QUESTION 5 When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST? A. Develop a security architecture B. Establish good communication with steering committee members C. Assemble an experienced staff D. Benchmark peer organizations Answer: B New information security managers should seek to build rapport and establish lines of communication with senior management to enlist their support. Benchmarking peer organizations is beneficial to better understand industry best practices, but it is secondary to obtaining senior management support. Similarly, developing a security architecture and assembling an experienced staff are objectives that can be obtained later. QUESTION 6 It is MOST important that information security architecture be aligned with which of the following? A. Industry best practices B. Information technology plans C. Information security best practices D. Business objectives and goals Information security architecture should always be properly aligned with business goals and objectives. Alignment with IT plans or industry and security best practices is secondary by comparison. QUESTION 7

Which of the following is MOST likely to be discretionary? A. Policies B. Procedures C. Guidelines D. Standards Policies define security goals and expectations for an organization. These are defined in more specific terms within standards and procedures. Standards establish what is to be done while procedures describe how it is to be done. Guidelines provide recommendations that business management must consider in developing practices within their areas of control; as such, they are discretionary. QUESTION 8 Security technologies should be selected PRIMARILY on the basis of their: A. ability to mitigate business risks. B. evaluations in trade publications. C. use of new and emerging technologies. D. benefits in comparison to their costs. The most fundamental evaluation criterion for the appropriate selection of any security technology is its ability to reduce or eliminate business risks. Investments in security technologies should be based on their overall value in relation to their cost; the value can be demonstrated in terms of risk mitigation. This should take precedence over whether they use new or exotic technologies or how they are evaluated in trade publications. QUESTION 9 Which of the following are seldom changed in response to technological changes? A. Standards B. Procedures C. Policies D. Guidelines Policies are high-level statements of objectives. Because of their high-level nature and statement of broad operating principles, they are less subject to periodic change. Security standards and procedures as well as guidelines must be revised and updated based on the impact of technology changes. QUESTION 10 The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: A. storage capacity and shelf life.

B. regulatory and legal requirements. C. business strategy and direction. D. application systems and media. Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover. Business strategy and direction do not generally apply, nor do legal and regulatory requirements. Storage capacity and shelf life are important but secondary issues. QUESTION 11 Which of the following is characteristic of decentralized information security management across a geographically dispersed organization? A. More uniformity in quality of service B. Better adherence to policies C. Better alignment to business unit needs D. More savings in total operating costs Decentralization of information security management generally results in better alignment to business unit needs. It is generally more expensive to administer due to the lack of economies of scale. Uniformity in quality of service tends to vary from unit to unit. QUESTION 12 Which of the following is the MOST appropriate position to sponsor the design and implementation of a new security infrastructure in a large global enterprise? A. Chief security officer (CSO) B. Chief operating officer (COO) C. Chief privacy officer (CPO) D. Chief legal counsel (CLC) Answer: B The chief operating officer (COO) is most knowledgeable of business operations and objectives. The chief privacy officer (CPO) and the chief legal counsel (CLC) may not have the knowledge of the day- to-day business operations to ensure proper guidance, although they have the same influence within the organization as the COO. Although the chief security officer (CSO) is knowledgeable of what is needed, the sponsor for this task should be someone with far-reaching influence across the organization.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information