Download Certified Information Security Manager.CISM.PracticeTest.2018-10-09.368q.vcex

Vendor: Financial
Exam Code: CISM
Exam Name: Certified Information Security Manager
Date: Oct 09, 2018
File Size: 327 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Demo Questions

Question 1
What is the PRIMARY role of the information security manager in the process of information classification within an organization?
  1. Defining and ratifying the classification structure of information assets
  2. Deciding the classification levels applied to the organization's information assets
  3. Securing information assets in accordance with their classification
  4. Checking if information assets have been classified properly
Correct answer: A
Explanation:
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
Question 2
Logging is an example of which type of defense against systems compromise?
  1. Containment
  2. Detection
  3. Reaction
  4. Recovery
Correct answer: B
Explanation:
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
Question 3
Which of the following is MOST important in developing a security strategy?
  1. Creating a positive business security environment
  2. Understanding key business objectives
  3. Having a reporting line to senior management
  4. Allocating sufficient resources to information security
Correct answer: B
Explanation:
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Question 4
Who is ultimately responsible for the organization's information?
  1. Data custodian
  2. Chief information security officer (CISO)
  3. Board of directors
  4. Chief information officer (CIO)
Correct answer: C
Explanation:
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
Question 5
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
  1. Alignment with industry best practices
  2. Business continuity investment
  3. Business benefits
  4. Regulatory compliance
Correct answer: D
Explanation:
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
Question 6
A security manager meeting the requirements for the international flow of personal data will need to ensure:
  1. a data processing agreement.
  2. a data protection registration.
  3. the agreement of the data subjects.
  4. subject access procedures.
Correct answer: C
Explanation:
Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
Question 7
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
  1. Ethics
  2. Proportionality
  3. Integration
  4. Accountability
Correct answer: B
Explanation:
Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.
Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.
Question 8
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
  1. Senior management commitment
  2. Information security framework
  3. Information security organizational structure
  4. Information security policy
Correct answer: A
Explanation:
Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization.
Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization.
Question 9
What will have the HIGHEST impact on standard information security governance models?
  1. Number of employees
  2. Distance between physical locations
  3. Complexity of organizational structure
  4. Organizational budget
Correct answer: C
Explanation:
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place; hence governance will help in effective management of the organization's budget.
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place; hence governance will help in effective management of the organization's budget.
Question 10
In order to highlight to management, the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
  1. prepare a security budget.
  2. conduct a risk assessment.
  3. develop an information security policy.
  4. obtain benchmarking information.
Correct answer: B
Explanation:
Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Question 11
What is the PRIMARY role of the information security manager in the process of information classification within an organization?
  1. Defining and ratifying the classification structure of information assets
  2. Deciding the classification levels applied to the organization's information assets
  3. Securing information assets in accordance with their classification
  4. Checking if information assets have been classified properly
Correct answer: A
Explanation:
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
Defining and ratifying the classification structure of information assets is the primary role of the information security manager in the process of information classification within the organization. Choice B is incorrect because the final responsibility for deciding the classification levels rests with the data owners. Choice C is incorrect because the job of securing information assets is the responsibility of the data custodians. Choice D may be a role of an information security manager but is not the key role in this context.
Question 12
Logging is an example of which type of defense against systems compromise?
  1. Containment
  2. Detection
  3. Reaction
  4. Recovery
Correct answer: B
Explanation:
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
Detection defenses include logging as well as monitoring, measuring, auditing, detecting viruses and intrusion. Examples of containment defenses are awareness, training and physical security defenses. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
Question 13
Which of the following is MOST important in developing a security strategy?
  1. Creating a positive business security environment
  2. Understanding key business objectives
  3. Having a reporting line to senior management
  4. Allocating sufficient resources to information security
Correct answer: B
Explanation:
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Alignment with business strategy is of utmost importance. Understanding business objectives is critical in determining the security needs of the organization.
Question 14
Who is ultimately responsible for the organization's information?
  1. Data custodian
  2. Chief information security officer (CISO)
  3. Board of directors
  4. Chief information officer (CIO)
Correct answer: C
Explanation:
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
The board of directors is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. The data custodian is responsible for the maintenance and protection of data. This role is usually filled by the IT department. The chief information security officer (CISO) is responsible for security and carrying out senior management's directives. The chief information officer (CIO) is responsible for information technology within the organization and is not ultimately responsible for the organization's information.
Question 15
Which of the following factors is a PRIMARY driver for information security governance that does not require any further justification?
  1. Alignment with industry best practices
  2. Business continuity investment
  3. Business benefits
  4. Regulatory compliance
Correct answer: D
Explanation:
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
Regulatory compliance can be a standalone driver for an information security governance measure. No further analysis nor justification is required since the entity has no choice in the regulatory requirements. Buy-in from business managers must be obtained by the information security manager when an information security governance measure is sought based on its alignment with industry best practices. Business continuity investment needs to be justified by business impact analysis. When an information security governance measure is sought based on qualitative business benefits, further analysis is required to determine whether the benefits outweigh the cost of the information security governance measure in question.
Question 16
A security manager meeting the requirements for the international flow of personal data will need to ensure:
  1. a data processing agreement.
  2. a data protection registration.
  3. the agreement of the data subjects.
  4. subject access procedures.
Correct answer: C
Explanation:
Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
Whenever personal data are transferred across national boundaries, the awareness and agreement of the data subjects are required. Choices A, B and D are supplementary data protection requirements that are not key for international data transfer.
Question 17
An information security manager mapping a job description to types of data access is MOST likely to adhere to which of the following information security principles?
  1. Ethics
  2. Proportionality
  3. Integration
  4. Accountability
Correct answer: B
Explanation:
Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.
Information security controls should be proportionate to the risks of modification, denial of use or disclosure of the information. It is advisable to learn if the job description is apportioning more data than are necessary for that position to execute the business rules (types of data access). Principles of ethics and integration have the least to do with mapping job description to types of data access. The principle of accountability would be the second most adhered to principle since people with access to data may not always be accountable but may be required to perform an operation.
Question 18
Which of the following is the MOST important prerequisite for establishing information security management within an organization?
  1. Senior management commitment
  2. Information security framework
  3. Information security organizational structure
  4. Information security policy
Correct answer: A
Explanation:
Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization.
Senior management commitment is necessary in order for each of the other elements to succeed. Without senior management commitment, the other elements will likely be ignored within the organization.
Question 19
What will have the HIGHEST impact on standard information security governance models?
  1. Number of employees
  2. Distance between physical locations
  3. Complexity of organizational structure
  4. Organizational budget
Correct answer: C
Explanation:
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place; hence governance will help in effective management of the organization's budget.
Information security governance models are highly dependent on the overall organizational structure. Some of the elements that impact organizational structure are multiple missions and functions across the organization, leadership and lines of communication. Number of employees and distance between physical locations have less impact on information security governance models since well-defined process, technology and people components intermingle to provide the proper governance. Organizational budget is not a major impact once good governance models are in place; hence governance will help in effective management of the organization's budget.
Question 20
In order to highlight to management, the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
  1. prepare a security budget.
  2. conduct a risk assessment.
  3. develop an information security policy.
  4. obtain benchmarking information.
Correct answer: B
Explanation:
Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment.
Risk assessment, evaluation and impact analysis will be the starting point for driving management's attention to information security. All other choices will follow the risk assessment.
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!