Isaca CISM

Certified Information Security Manager

(Page 1 out of 64)
Showing 10 of 631 Questions
Exam Version: 6.1
Question No : 1 - Topic 1

Who should be responsible for enforcing access rights to application data?

  • A. Data owners
  • B. Business process owners
  • C. The security steering committee
  • D. Security administrators

Answer : D

Explanation: As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.

Question No : 2 - Topic 1

The MOST important component of a privacy policy is:

  • A. notifications.
  • B. warranties.
  • C. liabilities.
  • D. geographic coverage.

Answer : A

Explanation: Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.

Question No : 3 - Topic 1

Investment in security technology and processes should be based on:

  • A. clear alignment with the goals and objectives of the organization.
  • B. success cases that have been experienced in previous projects.
  • C. best business practices.
  • D. safeguards that are inherent in existing technology.

Answer : A

Explanation: Organization maturity level for the protection of information is a clear alignment with goals and objectives of the organization. Experience in previous projects is dependent upon other business models which may not be applicable to the current model. Best business practices may not be applicable to the organization's business needs. Safeguards inherent to existing technology are low cost but may not address all business needs and/or goals of the organization.

Question No : 4 - Topic 1

A security manager is preparing a report to obtain the commitment of executive
management to a security program. Inclusion of which of the following would be of MOST

  • A. Examples of genuine incidents at similar organizations
  • B. Statement of generally accepted best practices
  • C. Associating realistic threats to corporate objectives
  • D. Analysis of current technological exposures

Answer : C

Explanation: Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.

Question No : 5 - Topic 1

When a security standard conflicts with a business objective, the situation should be
resolved by:

  • A. changing the security standard.
  • B. changing the business objective.
  • C. performing a risk analysis.
  • D. authorizing a risk acceptance.

Answer : C

Explanation: Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.

Question No : 6 - Topic 1

Minimum standards for securing the technical infrastructure should be defined in a security:

  • A. strategy.
  • B. guidelines.
  • C. model.
  • D. architecture.

Answer : D

Explanation: Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.

Question No : 7 - Topic 1

An information security manager must understand the relationship between information
security and business operations in order to:

  • A. support organizational objectives.
  • B. determine likely areas of noncompliance.
  • C. assess the possible impacts of compromise.
  • D. understand the threats to the business.

Answer : A

Explanation: Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.

Question No : 8 - Topic 1

Which of the following should be the FIRST step in developing an information security

  • A. Perform a technical vulnerabilities assessment
  • B. Analyze the current business strategy
  • C. Perform a business impact analysis
  • D. Assess the current levels of security awareness

Answer : B

Explanation: Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.

Question No : 9 - Topic 1

Information security governance is PRIMARILY driven by:

  • A. technology constraints.
  • B. regulatory requirements.
  • C. litigation potential.
  • D. business strategy.

Answer : D

Explanation: Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.

Question No : 10 - Topic 1

When developing an information security program, what is the MOST useful source of
information for determining available resources?

  • A. Proficiency test
  • B. Job descriptions
  • C. Organization chart
  • D. Skills inventory

Answer : D

Explanation: A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.

(Page 1 out of 64)
Showing of 631 Questions
Exam Version: 6.1