bettyallen's picture
From bettyallen rss RSS  subscribe Subscribe

CISM Study material 



Troytec.com is a place where you can find various types of CISM exam certifications preparation material. Troytec’s full range of study material for the CISM exam helps you to be prepared for the CISM exam fully and enter the exam centre with full confidence. We provide you easy, simple and updated study material. After preparing from the CISM exam material prepared by us we guarantee you that you will be a certified professional. We guarantee that with Troytec CISM study material, you will pass the Certification exam.

 

 
 
Tags:  CISM Exams  CISM Certification  CISM Training  CISM Practice Exams  CISM Tests  CISM Exam Materials  CISM download 
Views:  2617
Downloads:  89
Published:  March 09, 2010
 
4
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
CISM Course Online UK

CISM Course Online UK

From: Sophiarock
Views: 2 Comments: 0
Description- If you want to get the CISM Certification for better
career in the field of Information Security Management then CISM
Course is first requirement for you.
 
TRAINING ANNOUNCEMENT Critical Incident Stress Management ...

TRAINING ANNOUNCEMENT Critical Incident Stress Management ...

From: anon-603229
Views: 47 Comments: 0
TRAINING ANNOUNCEMENT Critical Incident Stress Management ...
 
Exampdf CISM Exam Questions Share

Exampdf CISM Exam Questions Share

From: Richard2011
Views: 701 Comments: 0

 
Peter Spier Rochester

Peter Spier Rochester

From: peterspier
Views: 198 Comments: 0
Peter Spier Rochester NY, a graduate from Syracuse University's School of Information Studies, is a Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), Certified Information Securit (more)

 
Peter Spier Rochester

Peter Spier Rochester

From: peterspier
Views: 270 Comments: 0

Peter Spier Rochester is the President of ISACA Western New York Chapter, a non-profit organization and Rochester and Buffalo area chapter of ISACA.
 
testkiller, test killer, testkiller.me, MCSE, CCNA, A+, Oracle, brain dumps, online certification te

testkiller, test killer, testkiller.me, MCSE, CCNA, A+, Oracle, brain dumps, online certification te

From: shahid_anw
Views: 814 Comments: 0
Hi,

My name shahid, Im network administer passed mcse exams by Microsoft, CCNA and CCNP by Cisco. Now I'm prepairing Exams DBA by Oracle.I found testkiller website for passing certification exams wi (more)

 
See all 
 
More from this user
TB0-107 Study material

TB0-107 Study material

From: bettyallen
Views: 1716
Comments: 0

199-01 Study material

199-01 Study material

From: bettyallen
Views: 1049
Comments: 0

9A0-062 Study material

9A0-062 Study material

From: bettyallen
Views: 795
Comments: 0

000-089Study material

000-089Study material

From: bettyallen
Views: 712
Comments: 0

310-091 Study material

310-091 Study material

From: bettyallen
Views: 893
Comments: 0

1T6-540 Study material

1T6-540 Study material

From: bettyallen
Views: 782
Comments: 0

See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 

 
 
Comments: (watch)
 
 
Notes:
 
Slide 1: CISM Certified Information Security Manager (CISM) Exam: CISM Demo Edition © 2008 - 2009 Test Killer, LTD All Rights Reserved 1 http://www.testkiller.com http://www.troytec.com
Slide 2: CISM Section 1: Sec One (1 to 20) Details: Information Security Governance QUESTION: 1 Which of the following should be the FIRST step in developing an information security plan? A. Perform a technical vulnerabilities assessment B. Analyze the current business strategy C. Perform a business impact analysis D. Assess the current levels of security awareness Answer: B Explanation: Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability. QUESTION: 2 Senior management commitment and support for information security can BEST be obtained through presentations that: A. use illustrative examples of successful attacks. B. explain the technical risks to the organization. C. evaluate the organization against best security practices. D. tie security risks to key business objectives. Answer: D Explanation: Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives. Senior management will not be as interested in technical risks or examples of successful attacks if they are not tied to the impact on business environment and objectives. Industry best practices are important to senior management but, again, senior management will give them the right level of importance when they are presented in terms of key business objectives. QUESTION: 3 2 http://www.testkiller.com http://www.troytec.com
Slide 3: CISM The MOST appropriate role for senior management in supporting information security is the: A. evaluation of vendors offering security products. B. assessment of risks to the organization. C. approval of policy statements and funding. D. monitoring adherence to regulatory requirements. Answer: C Explanation: Since the members of senior management are ultimately responsible for information security, they are the ultimate decision makers in terms of governance and direction. They are responsible for approval of major policy statements and requests to fund the information security practice. Evaluation of vendors, assessment of risks and mOl1ltonng compliance with regulatory requirements are day-to-day responsibilities of the information security manager; in some organizations, business management is involved in these other activities, though their primary role is direction and governance. QUESTION: 4 Which of the following would BEST ensure the success of information security governance within an organization? A. Steering committees approve security projects B. Security policy training provided to all managers C. Security training available to all employees on the intranet D. Steering committees enforce compliance with laws and regulations Answer: A Explanation: The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee. QUESTION: 5 Information security governance is PRIMARILY driven by: 3 http://www.testkiller.com http://www.troytec.com
Slide 4: CISM A. technology constraints. B. regulatory requirements. C. litigation potential. D. business strategy. Answer: D Explanation: Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy. QUESTION: 6 Which of the following represents the MAJOR focus of privacy regulations? A. Unrestricted data mining B. Identity theft C. Human rights protection D. Identifiable personal data Answer: D Explanation: Protection of identifiable personal data is the major focus of recent privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA). Data mining is an accepted tool for ad hoc reporting; it could pose a threat to privacy only if it violates regulatory provisions. Identity theft is a potential consequence of privacy violations but not the main focus of many regulations. Human rights addresses privacy issues but is not the main focus of regulations. QUESTION: 7 Investments in information security technologies should be based on: A. vulnerability assessments. B. value analysis. C. business climate. D. audit recommendations. Answer: B Explanation: Investments in security technologies should be based on a value analysis and a sound business case. Demonstrated value takes precedence over the current business climate 4 http://www.testkiller.com http://www.troytec.com
Slide 5: CISM because it is ever changing. Basing decisions on audit recommendations would be reactive in nature and might not address the key business needs comprehensively. Vulnerability assessments are useful, but they do not determine whether the cost is justified. QUESTION: 8 Retention of business records should PRIMARILY be based on: A. business strategy and direction. B. regulatory and legal requirements. C. storage capacity and longevity. D. business case and value analysis. Answer: B Explanation: Retention of business records is generally driven by legal and regulatory requirements. Business strategy and direction would not normally apply nor would they override legal and regulatory requirements. Storage capacity and longevity are important but secondary issues. Business case and value analysis would be secondary to complying with legal and regulatory requirements. QUESTION: 9 Which of the following is characteristic of centralized information security management? A. More expensive to administer B. Better adherence to policies C. More aligned with business unit needs D. Faster turnaround of requests Answer: B Explanation: Centralization of information security management results in greater uniformity and better adherence to security policies. It is generally less expensive to administer due to the economies of scale. However, turnaround can be slower due to the lack of alignment with business units. QUESTION: 10 Successful implementation of information security governance will FIRST require: A. security awareness training. B. updated security polices. C. a computer incident management team. D. a security architecture. 5 http://www.testkiller.com http://www.troytec.com
Slide 6: CISM Answer: B Explanation: Updated security policies are required to align management objectives with security procedures; management objectives translate into policy, policy translates into procedures. Security procedures will necessitate specialized teams such as the computer incident response and management group as well as specialized tools such as the security mechanisms that comprise the security architecture. Security awareness will promote the policies, procedures and appropriate use of the security mechanisms. QUESTION: 11 Which of the following individuals would be in the BEST position to sponsor the creation of an information security steering group? A. Information security manager B. Chief operating officer (COO) C. Internal auditor D. Legal counsel Answer: B Explanation: The chief operating officer (COO) is highly-placed within an organization and has the most knowledge of business operations and objectives. The chief internal auditor and chief legal counsel are appropriate members of such a steering group. However, sponsoring the creation of the steering committee should be initiated by someone versed in the strategy and direction of the business. Since a security manager is looking to this group for direction, they are not in the best position to oversee formation of this group. QUESTION: 12 The MOST important component of a privacy policy is: A. notifications. B. warranties. C. liabilities. D. geographic coverage. Answer: A Explanation: 6 http://www.testkiller.com http://www.troytec.com
Slide 7: CISM Privacy policies must contain notifications and opt-out provisions; they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific. QUESTION: 13 The cost of implementing a security control should not exceed the: A. annualized loss expectancy. B. cost of an incident. C. asset value. D. implementation opportunity costs. Answer: C Explanation: The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses that are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision. QUESTION: 14 When a security standard conflicts with a business objective, the situation should be resolved by: A. changing the security standard. B. changing the business objective. C. performing a risk analysis. D. authorizing a risk acceptance. Answer: C Explanation: Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance is a process that derives from the risk analysis. QUESTION: 15 Minimum standards for securing the technical infrastructure should be defined in a security: A. strategy. 7 http://www.testkiller.com http://www.troytec.com
Slide 8: CISM B. guidelines. C. model. D. architecture. Answer: D Explanation: Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components. QUESTION: 16 Which of the following is MOST appropriate for inclusion in an information security strategy? A. Business controls designated as key control B. Security processes methods tools and techniques C. Firewall rule sets, network defaults and intrusion detection system (IDS) settings D. Budget estimates to acquire specific security tools Answer: B Explanation: A set of security objectives, processes, methods tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and arc not appropriate content for a strategy document. QUESTION: 17 Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing: A. organizational risk. B. organization wide metrics. C. security needs. D. the responsibilities of organizational units. 8 http://www.testkiller.com http://www.troytec.com
Slide 9: CISM Answer: A Explanation: Information security exists to help the organization meet its objectives. The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified. QUESTION: 18 Which of the following roles would represent fl conflict of interest for an information security manager? A. Evaluation of third parties requesting connectivity B. Assessment of the adequacy of disaster recovery plans C. Final approval of information security policies D. Monitoring adherence to physical security controls Answer: C Explanation: Since management is ultimately responsible for information security, it should approve information security policy statements; the information security manager should not have final approval. Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest. QUESTION: 19 Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization'? A. The information security department has difficulty filling vacancies. B. The chief information officer (CIO) approves security policy changes. C. The information security oversight committee only meets quarterly. D. The data center manager has final signoff on all security projects. Answer: D Explanation: A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering 9 http://www.testkiller.com http://www.troytec.com
Slide 10: CISM committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals. QUESTION: 20 Which of the following requirements would have the lowest level of priority in information security? A. Technical B. Regulatory C. Privacy D. Business Answer: A Explanation: Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override. The needs of the business should always take precedence in deciding information security priorities. 10 http://www.testkiller.com http://www.troytec.com

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location