Isaca CISM ExamCertified Information Security Manager

Total Question: 631 Last Updated: February 14,2018
  • Updated CISM Dumps
  • Based on Real CISM Exams Scenarios
  • Free CISM pdf Demo Available
  • Check out our CISM Dumps in a new PDF format
  • Instant CISM download
  • Guarantee CISM success in first attempt
Package Select:

Questions & Answers PDF

Practice Test Software

Practice Test + PDF 30% Discount

Price: $65.95 $29.99

Buy Now Free Trial

Shortcuts To CISM(171 to 180)

We provide real CISM exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Isaca CISM Exam quickly & easily. The CISM PDF type is available for reading and printing. You can print more and practice many times. With the help of our Isaca CISM dumps pdf and vce product and material, you can easily pass the CISM exam.

Q171. Which of the following would BEST ensure the success of information security governance within an organization? 

A. Steering committees approve security projects 

B. Security policy training provided to all managers 

C. Security training available to all employees on the intranet 

D. Steering committees enforce compliance with laws and regulations 



The existence of a steering committee that approves all security projects would be an indication of the existence of a good governance program. Compliance with laws and regulations is part of the responsibility of the steering committee but it is not a full answer. Awareness training is important at all levels in any medium, and also an indicator of good governance. However, it must be guided and approved as a security project by the steering committee. 

Q172. The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration? 

A. Laws and regulations of the country of origin may not be enforceable in the foreign country. 

B. A security breach notification might get delayed due to the time difference. 

C. Additional network intrusion detection sensors should be installed, resulting in an additional cost. 

D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers. 



A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns. 

Q173. Which of the following should be included in an annual information security budget that is submitted for management approval? 

A. A cost-benefit analysis of budgeted resources 

B. All of the resources that are recommended by the business 

C. Total cost of ownership (TC'O) 

D. Baseline comparisons 



A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TC'O may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval. 

Q174. When the computer incident response team (CIRT) finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: 

A. the information security steering committee. 

B. customers who may be impacted. 

C. data owners who may be impacted. 

D. regulatory- agencies overseeing privacy. 



The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Other parties will be notified later as required by corporate policy and regulatory requirements. 

Q175. Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? 

A. The information security department has difficulty filling vacancies. 

B. The chief information officer (CIO) approves security policy changes. 

C. The information security oversight committee only meets quarterly. 

D. The data center manager has final signoff on all security projects. 



A steering committee should be in place to approve all security projects. The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance. It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer (CIO) approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals. 

Q176. When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss? 

A. Evaluate productivity losses 

B. Assess the impact of confidential data disclosure 

C. Calculate the value of the information or asset 

D. Measure the probability of occurrence of each threat 



Calculating the value of the information or asset is the first step in a risk analysis process to determine the impact to the organization, which is the ultimate goal. Determining how much productivity could be lost and how much it would cost is a step in the estimation of potential risk process. Knowing the impact if confidential information is disclosed is also a step in the estimation of potential risk. Measuring the probability of occurrence for each threat identified is a step in performing a threat analysis and therefore a partial answer. 

Q177. When performing an information risk analysis, an information security manager should FIRST: 

A. establish the ownership of assets. 

B. evaluate the risks to the assets. 

C. take an asset inventory. 

D. categorize the assets. 



Assets must be inventoried before any of the other choices can be performed. 

Q178. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an organization. There is disagreement between the information security manager and the business department manager who will own the process regarding the results and the assigned risk. Which of the following would be the BES T approach of the information security manager? 

A. Acceptance of the business manager's decision on the risk to the corporation 

B. Acceptance of the information security manager's decision on the risk to the corporation 

C. Review of the assessment with executive management for final input 

D. A new risk assessment and BIA are needed to resolve the disagreement 



Executive management must be supportive of the process and fully understand and agree with the results since risk management decisions can often have a large financial impact and require major changes. Risk management means different things to different people, depending upon their role in the organization, so the input of executive management is important to the process. 

Q179. What would be the MOST significant security risks when using wireless local area network (LAN) technology? 

A. Man-in-the-middle attack 

B. Spoofing of data packets 

C. Rogue access point 

D. Session hijacking 



A rogue access point masquerades as a legitimate access point The risk is that legitimate users may connect through this access point and have their traffic monitored. All other choices are not dependent on the use of a wireless local area network (LAN) technology. 

Q180. Which of the following is the MOST important to keep in mind when assessing the value of information? 

A. The potential financial loss 

B. The cost of recreating the information 

C. The cost of insurance coverage 

D. Regulatory requirement 



The potential for financial loss is always a key factor when assessing the value of information. Choices B, C and D may be contributors, but not the key factor. 

Related CISM Articles