Download Certified Information Security Manager.CISM.ActualTests.2018-11-17.385q.vcex

Vendor: Financial
Exam Code: CISM
Exam Name: Certified Information Security Manager
Date: Nov 17, 2018
File Size: 341 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Demo Questions

Question 1
Reviewing which of the following would BEST ensure that security controls are effective? 
  1. Risk assessment policies
  2. Return on security investment
  3. Security metrics
  4. User access rights
Correct answer: C
Explanation:
Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
Question 2
Which of the following is responsible for legal and regulatory liability?
  1. Chief security officer (CSO)
  2. Chief legal counsel (CLC)
  3. Board and senior management
  4. Information security steering group
Correct answer: C
Explanation:
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Question 3
While implementing information security governance an organization should FIRST:
  1. adopt security standards.
  2. determine security baselines.
  3. define the security strategy.
  4. establish security policies.
Correct answer: C
Explanation:
The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.
The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable 
security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.
Question 4
The MOST basic requirement for an information security governance program is to:
  1. be aligned with the corporate business strategy.
  2. be based on a sound risk management approach.
  3. provide adequate regulatory compliance.
  4. provide best practices for security- initiatives.
Correct answer: A
Explanation:
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.
Question 5
Information security policy enforcement is the responsibility of the:
  1. security steering committee.
  2. chief information officer (CIO).
  3. chief information security officer (CISO).
  4. chief compliance officer (CCO).
Correct answer: C
Explanation:
Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.
Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.
Question 6
A good privacy statement should include:
  1. notification of liability on accuracy of information.
  2. notification that information will be encrypted.
  3. what the company will do with information it collects.
  4. a description of the information classification process.
Correct answer: C
Explanation:
Most privacy laws and regulations require disclosure on how information will be used. Choice A is incorrect because that information should be located in the web site's disclaimer. Choice B is incorrect because, although encryption may be applied, this is not generally disclosed. Choice D is incorrect because information classification would be contained in a separate policy.
Most privacy laws and regulations require disclosure on how information will be used. Choice A is incorrect because that information should be located in the web site's disclaimer. Choice B is incorrect because, although encryption may be applied, this is not generally disclosed. Choice D is incorrect because information classification would be contained in a separate policy.
Question 7
Which of the following would be MOST effective in successfully implementing restrictive password policies?
  1. Regular password audits
  2. Single sign-on system
  3. Security awareness program
  4. Penalties for noncompliance
Correct answer: C
Explanation:
To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.
To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.
Question 8
At what stage of the applications development process should the security department initially become involved?
  1. When requested
  2. At testing
  3. At programming
  4. At detail requirements
Correct answer: D
Explanation:
Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process. 
Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process. 
Question 9
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? 
  1. Examples of genuine incidents at similar organizations
  2. Statement of generally accepted best practices
  3. Associating realistic threats to corporate objectives
  4. Analysis of current technological exposures
Correct answer: C
Explanation:
Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
Question 10
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
  1. generally accepted industry best practices.
  2. business requirements.
  3. legislative and regulatory requirements.
  4. storage availability.
Correct answer: B
Explanation:
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided
Question 11
Reviewing which of the following would BEST ensure that security controls are effective? 
  1. Risk assessment policies
  2. Return on security investment
  3. Security metrics
  4. User access rights
Correct answer: C
Explanation:
Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
Reviewing security metrics provides senior management a snapshot view and trends of an organization's security posture. Choice A is incorrect because reviewing risk assessment policies would not ensure that the controls are actually working. Choice B is incorrect because reviewing returns on security investments provides business justifications in implementing controls, but does not measure effectiveness of the control itself. Choice D is incorrect because reviewing user access rights is a joint responsibility of the data custodian and the data owner, and does not measure control effectiveness.
Question 12
Which of the following is responsible for legal and regulatory liability?
  1. Chief security officer (CSO)
  2. Chief legal counsel (CLC)
  3. Board and senior management
  4. Information security steering group
Correct answer: C
Explanation:
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
The board of directors and senior management are ultimately responsible for all that happens in the organization. The others are not individually liable for failures of security in the organization.
Question 13
While implementing information security governance an organization should FIRST:
  1. adopt security standards.
  2. determine security baselines.
  3. define the security strategy.
  4. establish security policies.
Correct answer: C
Explanation:
The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.
The first step in implementing information security governance is to define the security strategy based on which security baselines are determined. Adopting suitable 
security- standards, performing risk assessment and implementing security policy are steps that follow the definition of the security strategy.
Question 14
The MOST basic requirement for an information security governance program is to:
  1. be aligned with the corporate business strategy.
  2. be based on a sound risk management approach.
  3. provide adequate regulatory compliance.
  4. provide best practices for security- initiatives.
Correct answer: A
Explanation:
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.
To receive senior management support, an information security program should be aligned with the corporate business strategy. Risk management is a requirement of an information security program which should take into consideration the business strategy. Security governance is much broader than just regulatory compliance. Best practice is an operational concern and does not have a direct impact on a governance program.
Question 15
Information security policy enforcement is the responsibility of the:
  1. security steering committee.
  2. chief information officer (CIO).
  3. chief information security officer (CISO).
  4. chief compliance officer (CCO).
Correct answer: C
Explanation:
Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.
Information security policy enforcement is the responsibility of the chief information security officer (CISO), first and foremost. The board of directors and executive management should ensure that a security policy is in line with corporate objectives. The chief information officer (CIO) and the chief compliance officer (CCO) are involved in the enforcement of the policy but are not directly responsible for it.
Question 16
A good privacy statement should include:
  1. notification of liability on accuracy of information.
  2. notification that information will be encrypted.
  3. what the company will do with information it collects.
  4. a description of the information classification process.
Correct answer: C
Explanation:
Most privacy laws and regulations require disclosure on how information will be used. Choice A is incorrect because that information should be located in the web site's disclaimer. Choice B is incorrect because, although encryption may be applied, this is not generally disclosed. Choice D is incorrect because information classification would be contained in a separate policy.
Most privacy laws and regulations require disclosure on how information will be used. Choice A is incorrect because that information should be located in the web site's disclaimer. Choice B is incorrect because, although encryption may be applied, this is not generally disclosed. Choice D is incorrect because information classification would be contained in a separate policy.
Question 17
Which of the following would be MOST effective in successfully implementing restrictive password policies?
  1. Regular password audits
  2. Single sign-on system
  3. Security awareness program
  4. Penalties for noncompliance
Correct answer: C
Explanation:
To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.
To be successful in implementing restrictive password policies, it is necessary to obtain the buy-in of the end users. The best way to accomplish this is through a security awareness program. Regular password audits and penalties for noncompliance would not be as effective on their own; people would go around them unless forced by the system. Single sign-on is a technology solution that would enforce password complexity but would not promote user compliance. For the effort to be more effective, user buy-in is important.
Question 18
At what stage of the applications development process should the security department initially become involved?
  1. When requested
  2. At testing
  3. At programming
  4. At detail requirements
Correct answer: D
Explanation:
Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process. 
Information security has to be integrated into the requirements of the application's design. It should also be part of the information security governance of the organization. The application owner may not make a timely request for security involvement. It is too late during systems testing, since the requirements have already been agreed upon. Code reviews are part of the final quality assurance process. 
Question 19
A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value? 
  1. Examples of genuine incidents at similar organizations
  2. Statement of generally accepted best practices
  3. Associating realistic threats to corporate objectives
  4. Analysis of current technological exposures
Correct answer: C
Explanation:
Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
Question 20
The PRIMARY concern of an information security manager documenting a formal data retention policy would be:
  1. generally accepted industry best practices.
  2. business requirements.
  3. legislative and regulatory requirements.
  4. storage availability.
Correct answer: B
Explanation:
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided
The primary concern will be to comply with legislation and regulation but only if this is a genuine business requirement. Best practices may be a useful guide but not a primary concern. Legislative and regulatory requirements are only relevant if compliance is a business need. Storage is irrelevant since whatever is needed must be provided
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!