Isaca CISM

Certified Information Security Manager

(Page 1 out of 43)
Showing 15 of 631 Questions
Exam Version: 6.1
Question No : 1 - Topic 1

Who should be responsible for enforcing access rights to application data?

  • A. Data owners
  • B. Business process owners
  • C. The security steering committee
  • D. Security administrators

Answer : D

Explanation: As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.



Question No : 2 - Topic 1

The MOST important component of a privacy policy is:

  • A. notifications.
  • B. warranties.
  • C. liabilities.
  • D. geographic coverage.

Answer : A

Explanation: Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.



Question No : 3 - Topic 1

Investment in security technology and processes should be based on:

  • A. clear alignment with the goals and objectives of the organization.
  • B. success cases that have been experienced in previous projects.
  • C. best business practices.
  • D. safeguards that are inherent in existing technology.

Answer : A

Explanation: Organization maturity level for the protection of information is a clear alignment with goals and objectives of the organization. Experience in previous projects is dependent upon other business models which may not be applicable to the current model. Best business practices may not be applicable to the organization's business needs. Safeguards inherent to existing technology are low cost but may not address all business needs and/or goals of the organization.



Question No : 4 - Topic 1

A security manager is preparing a report to obtain the commitment of executive
management to a security program. Inclusion of which of the following would be of MOST
value?

  • A. Examples of genuine incidents at similar organizations
  • B. Statement of generally accepted best practices
  • C. Associating realistic threats to corporate objectives
  • D. Analysis of current technological exposures

Answer : C

Explanation: Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.



Question No : 5 - Topic 1

When a security standard conflicts with a business objective, the situation should be
resolved by:

  • A. changing the security standard.
  • B. changing the business objective.
  • C. performing a risk analysis.
  • D. authorizing a risk acceptance.

Answer : C

Explanation: Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.



Question No : 6 - Topic 1

Minimum standards for securing the technical infrastructure should be defined in a security:

  • A. strategy.
  • B. guidelines.
  • C. model.
  • D. architecture.

Answer : D

Explanation: Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.



Question No : 7 - Topic 1

An information security manager must understand the relationship between information
security and business operations in order to:

  • A. support organizational objectives.
  • B. determine likely areas of noncompliance.
  • C. assess the possible impacts of compromise.
  • D. understand the threats to the business.

Answer : A

Explanation: Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.



Question No : 8 - Topic 1

Which of the following should be the FIRST step in developing an information security
plan?

  • A. Perform a technical vulnerabilities assessment
  • B. Analyze the current business strategy
  • C. Perform a business impact analysis
  • D. Assess the current levels of security awareness

Answer : B

Explanation: Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.



Question No : 9 - Topic 1

Information security governance is PRIMARILY driven by:

  • A. technology constraints.
  • B. regulatory requirements.
  • C. litigation potential.
  • D. business strategy.

Answer : D

Explanation: Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.



Question No : 10 - Topic 1

When developing an information security program, what is the MOST useful source of
information for determining available resources?

  • A. Proficiency test
  • B. Job descriptions
  • C. Organization chart
  • D. Skills inventory

Answer : D

Explanation: A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.



Question No : 11 - Topic 1

To justify its ongoing security budget, which of the following would be of MOST use to the
information security' department?

  • A. Security breach frequency
  • B. Annualized loss expectancy (ALE)
  • C. Cost-benefit analysis
  • D. Peer group comparison

Answer : C

Explanation: Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.



Question No : 12 - Topic 1

Who should drive the risk analysis for an organization?

  • A. Senior management
  • B. Security manager
  • C. Quality manager
  • D. Legal department

Answer : B

Explanation: Although senior management should support and sponsor a risk analysis, the know-how and the management of the project will be with the security department. Quality management and the legal department will contribute to the project.



Question No : 13 - Topic 1

Which of the following is characteristic of centralized information security management?

  • A. More expensive to administer
  • B. Better adherence to policies
  • C. More aligned with business unit needs
  • D. Faster turnaround of requests

Answer : B

Explanation: Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economics of scale. However, turnaround can be slower due to the lack of alignment with business units.



Question No : 14 - Topic 1

Information security should be:

  • A. focused on eliminating all risks.
  • B. a balance between technical and business requirements.
  • C. driven by regulatory requirements.
  • D. defined by the board of directors.

Answer : B

Explanation: Information security should ensure that business objectives are met given available technical capabilities, resource constraints and compliance requirements. It is not practical or feasible to eliminate all risks. Regulatory requirements must be considered, but are inputs to the business considerations. The board of directors does not define information security, but provides direction in support of the business goals and objectives.



Question No : 15 - Topic 1

Which of the following is the MOST important information to include in an information
security standard?

  • A. Creation date
  • B. Author name
  • C. Initial draft approval date
  • D. Last review date

Answer : D

Explanation: The last review date confirms the currency of the standard, affirming that management has reviewed the standard to assure that nothing in the environment has changed that would necessitate an update to the standard. The name of the author as well as the creation and draft dates are not that important.



(Page 1 out of 43)
Showing of 631 Questions
Exam Version: 6.1