Knowledge Checks are designed to help reinforce important concepts from the Review Manual to further enhance your learning. If you feel that we have saved your good money, kindly help our organization to run some premium service for free by donating today! Skip to content. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.
Question: 13 The cost of implementing a security control should not exceed the: A. Answer: C Explanation: The cost of implementing security controls should not exceed the worth of the asset.
Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount or the cost of a single incident and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision. Question: 14 When a security standard conflicts with a business objective, the situation should be resolved by: A.
Question: 15 Minimum standards for securing the technical infrastructure should be defined in a security: A. Answer: D Explanation: Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place.
A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components. Question: 16 Which of the following is MOST appropriate for inclusion in an information security strategy? Business controls designated as key controls B. Security processes, methods, tools and techniques C. Firewall rule sets, network defaults and intrusion detection system IDS settings D.
Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy.
Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system IDS settings are technical details subject to periodic change, and are not appropriate content for a strategy document.
Question: 17 Senior management commitment and support for information security will BEST be attained by an information security manager by emphasizing: A. Answer: A Explanation: Information security exists to help the organization meet its objectives.
The information security manager should identify information security needs based on organizational needs. Organizational or business risk should always take precedence. Involving each organizational unit in information security and establishing metrics to measure success will be viewed favorably by senior management after the overall organizational risk is identified.
Question: 18 Which of the following roles would represent a conflict of interest for an information security manager? Evaluation of third parties requesting connectivity B. Assessment of the adequacy of disaster recovery plans C. Final approval of information security policies D.
Evaluation of third parties requesting access, assessment of disaster recovery plans and monitoring of compliance with physical security controls are acceptable practices and do not present any conflicts of interest.
Question: 19 Which of the following situations must be corrected FIRST to ensure successful information security governance within an organization? The information security department has difficulty filling vacancies. The chief information officer CIO approves security policy changes. The information security oversight committee only meets quarterly. The data center manager has final signoff on all security projects. Answer: D Explanation: A steering committee should be in place to approve all security projects.
The fact that the data center manager has final signoff for all security projects indicates that a steering committee is not being used and that information security is relegated to a subordinate place in the organization. This would indicate a failure of information security governance.
It is not inappropriate for an oversight or steering committee to meet quarterly. Similarly, it may be desirable to have the chief information officer CIO approve the security policy due to the size of the organization and frequency of updates. Difficulty in filling vacancies is not uncommon due to the shortage of good, qualified information security professionals. Question: 20 Which of the following requirements would have the lowest level of priority in information security?
Regulatory C. Privacy D. Business Answer: A Explanation: Information security priorities may, at times, override technical specifications, which then must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are government-mandated and, therefore, not subject to override.
The needs of the business should always take precedence in deciding information security priorities. Question: 21 When an organization hires a new information security manager, which of the following goals should this individual pursue FIRST? Develop a security architecture B. Establish good communication with steering committee members C.
Assemble an experienced staff D. Benchmark peer organizations Answer: B Explanation: New information security managers should seek to build rapport and establish lines of communication with senior management to enlist their support. Benchmarking peer organizations is beneficial to better understand industry best practices, but it is secondary to obtaining senior management support.
Similarly, developing a security architecture and assembling an experienced staff are objectives that can be obtained later. Question: 22 It is MOST important that information security architecture be aligned with which of the following? Industry best practices B. Information technology plans C. Information security best practices D. Business objectives and goals Answer: D Explanation: Information security architecture should always be properly aligned with business goals and objectives.
You can use this summary Knowledge Checks to review the task and knowledge statements in the job practice and Knowledge Checks are activities designed to put the get an idea of where you should primarily focus your study efforts.
These include matching questions, scenarios, recall questions and other activities to further enhance your learning. The answer key.
While the Review Manual does not include Case Studies every concept that could be tested on the CISM exam, it does Case studies provide scenario-based learning that cover a breadth of knowledge that provides a solid base for the focuses on the concepts presented within each chapter. The manual is one source of preparation for Each case study includes an information security the exam and should not be thought of as the only source nor management scenario related to each domain and questions viewed as a comprehensive collection of all the information related to the scenario.
The purpose of these cases studies is to and experience that are required to pass the exam. Manual Features Glossary The CISM Review Manual includes several features to help you A glossary is included at the end of the manual and contains navigate the CISM job practice and enhance your learning and terms that apply to the material included in the chapters. Also retention of the material. The glossary is an extension of the text in the manual the appropriate answer that is MOST likely or BEST, or the and can, therefore, be another indication of areas in which the candidate may be asked to choose a practice or procedure that candidate may need to seek additional references.
The best answer is of the choices provided. There CISM exam preparation. These products are based on the CISM can be many potential solutions to the scenarios posed in the job practice, and referenced task and knowledge statements can questions, depending on industry, geographical location, etc.
The candidate is asked to choose the correct or 12 Month Subscription best answer from the options. In some instances, a scenario or description also may be included. CISM job practice. The database consists of the 1, questions, understanding of the question.
With this experience to determine which is the best answer to the question. Sample exams also for the exam is to recognize that information security is a global can be chosen by domain, allowing for concentrated study, one profession, and individual perceptions and experiences may domain at a time, and other sorting features such as the omission not reflect the more global position or circumstance.
Because of previous correctly answered questions are available. It should be noted that of the correct and incorrect answers. These products are ideal for security managers from around the world. This process or as part of a final review to determine where candidates geographic representation ensures that all exam questions are may need additional study.
It should be noted that these questions understood equally in every country and language. Since actual exam questions often relate measuring and testing practical knowledge and the application to practical experiences, candidates should refer to their own of information security managerial principles and standards.
As experiences and other reference sources, and draw upon the previously mentioned, all questions are presented in a multiple- experiences of colleagues and others who have earned the choice format and are designed for one best answer. CISM designation. The candidate is cautioned to read each question carefully. This chapter reviews the body of knowledge and associated tasks T1. These has the knowledge necessary to: statements are the basis for the exam. The knowledge statements delineate authority and escalation points each of the areas in which the CISM candidate must have a good K1.
The task and knowledge staff across the organization e. Note that users, privileged or high-risk users although there is often overlap, each task statement will generally K1. Task Statement Knowledge Statements T1. The references in the manual focus on the knowledge the information security manager must know to accomplish the tasks and successfully negotiate the exam.
Task Statement Reference in Manual T1. All questions are multiple choice and are designed A. The candidate is asked to C. The stem D. These questions normally include a description procedures is: of a situation and require the candidate to answer two or more questions based on the information provided.
0コメント