IBM Study Guides - BraindumpsQA Microsoft Practice exam

http://www.braindumpsqa.com/VCP550_braindumps.html

CISM Reliable Test Braindumps & Certified Information Security Manager

Valid CISM Dumps shared by NewPassLeader for Helping Passing CISM Exam! NewPassLeader now offer the newest CISM exam dumps, the NewPassLeader CISM exam questions have been updated and answers have been corrected get the newest NewPassLeader CISM dumps with Test Engine here:

http://https://www.newpassleader.com/ISACA/CISM-exam-preparation-materials.html (631 Q&As Dumps, 30%OFF Special Discount: 30free )


NEW QUESTION NO: 6
From an information security manager perspective, what is the immediate benefit of clearly-defined roles and responsibilities?
A. Enhanced policy compliance
B. Improved procedure flows
C. Segregation of duties
D. Better accountability
Answer: D
Explanation/Reference:
Explanation:
Without well-defined roles and responsibilities, there cannot be accountability. Choice A is incorrect because policy compliance requires adequately defined accountability first and therefore is a byproduct.
Choice B is incorrect because people can be assigned to execute procedures that are not well designed.
Choice C is incorrect because segregation of duties is not automatic, and roles may still include conflicting duties.

NEW QUESTION NO: 7
The PRIMARY objective of security awareness is to:
A. ensure that security policies are understood.
B. influence employee behavior.
C. ensure legal and regulatory compliance
D. notify of actions for noncompliance.
Answer: B
Explanation/Reference:
Explanation:
It is most important that security-conscious behavior be encouraged among employees through training that influences expected responses to security incidents. Ensuring that policies are read and understood, giving employees fair warning of potential disciplinary action, or meeting legal and regulatory requirements is important but secondary.

NEW QUESTION NO: 8
An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the:
A. corporate data privacy policy.
B. data privacy policy where data are collected.
C. data privacy policy of the headquarters' country.
D. data privacy directive applicable globally.
Answer: B
Explanation/Reference:
Explanation:
As a subsidiary, the local entity will have to comply with the local law for data collected in the country.
Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific.

NEW QUESTION NO: 9
A successful information security management program should use which of the following to determine the amount of resources devoted to mitigating exposures?
A. Risk analysis results
B. Audit report findings
C. Penetration test results
D. Amount of IT budget available
Answer: A
Explanation/Reference:
Explanation:
Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. Audit report findings may not address all risks and do not address annual loss frequency. Penetration test results provide only a limited view of exposures, while the IT budget is not tied to the exposures faced by the organization.

NEW QUESTION NO: 10
When an organization is implementing an information security governance program, its board of directors should be responsible for:
A. drafting information security policies.
B. reviewing training and awareness programs.
C. setting the strategic direction of the program.
D. auditing for compliance.
Answer: C
Explanation/Reference:
Explanation:
A board of directors should establish the strategic direction of the program to ensure that it is in sync with the company's vision and business goals. The board must incorporate the governance program into the overall corporate business strategy. Drafting information security policies is best fulfilled by someone such as a security manager with the expertise to bring balance, scope and focus to the policies. Reviewing training and awareness programs may best be handled by security management and training staff to ensure that the training is on point and follows best practices. Auditing for compliance is best left to the internal and external auditors to provide an objective review of the program and how it meets regulatory and statutory compliance.

NEW QUESTION NO: 11
Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
A. Communicating specially drafted messages by an authorized person
B. Refusing to comment until recovery
C. Referring the media to the authorities
D. Reporting the losses and recovery strategy to the media
Answer: A
Explanation/Reference:
Explanation:
Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements made that may damage reputation. Choices B, C and D are not recommended until the message to be communicated is made clear and the spokesperson has already spoken to the media.

NEW QUESTION NO: 12
The organization has decided to outsource the majority of the IT department with a vendor that is hosting servers in a foreign country. Of the following, which is the MOST critical security consideration?
A. Laws and regulations of the country of origin may not be enforceable in the foreign country.
B. A security breach notification might get delayed due to the time difference.
C. Additional network intrusion detection sensors should be installed, resulting in an additional cost.
D. The company could lose physical control over the server and be unable to monitor the physical security posture of the servers.
Answer: A
Explanation/Reference:
Explanation:
A company is held to the local laws and regulations of the country in which the company resides, even if the company decides to place servers with a vendor that hosts the servers in a foreign country. A potential violation of local laws applicable to the company might not be recognized or rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to communicate notifications. Option C is a manageable problem that requires additional funding, but can be addressed. Option D is a problem that can be addressed. Most hosting providers have standardized the level of physical security that is in place. Regular physical audits or a SAS 70 report can address such concerns.

NEW QUESTION NO: 13
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A. User ad hoc reporting is not logged
B. Network traffic is through a single switch
C. Operating system (OS) security patches have not been applied
D. Database security defaults to ERP settings
Answer: C
Explanation/Reference:
Explanation:
The fact that operating system (OS) security patches have not been applied is a serious weakness.
Routing network traffic through a single switch is not unusual. Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security- weakness as the failure to install security patches. Database security defaulting to the ERP system's settings is not as significant.

NEW QUESTION NO: 14
For virtual private network (VPN) access to the corporate network, the information security manager is requiring strong authentication. Which of the following is the strongest method to ensure that logging onto the network is secure?
A. Biometrics
B. Symmetric encryption keys
C. Secure Sockets Layer (SSL)-based authentication
D. Two-factor authentication
Answer: D
Explanation/Reference:
Explanation:
Two-factor authentication requires more than one type of user authentication. While biometrics provides unique authentication, it is not strong by itself, unless a PIN or some other authentication factor is used with it. Biometric authentication by itself is also subject to replay attacks. A symmetric encryption method that uses the same secret key to encrypt and decrypt data is not a typical authentication mechanism for end users. This private key could still be compromised. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. SSL is not an authentication mechanism. If SSL is used with a client certificate and a password, it would be a two-factor authentication.

NEW QUESTION NO: 15
Which of the following should be included in an annual information security budget that is submitted for management approval?
A. A cost-benefit analysis of budgeted resources
B. All of the resources that are recommended by the business
C. Total cost of ownership (TC'O)
D. Baseline comparisons
Answer: A
Explanation/Reference:
Explanation:
A brief explanation of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. Explanations of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TC'O may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget. Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.

NEW QUESTION NO: 16
What is the MOST important success factor in launching a corporate information security awareness program?
A. Adequate budgetary support
B. Centralized program management
C. Top-down approach
D. Experience of the awareness trainers
Answer: C
Explanation/Reference:
Explanation:
Senior management support will provide enough resources and will focus attention to the program: training should start at the top levels to gain support and sponsorship. Funding is not a primary concern.
Centralized management does not provide sufficient support. Trainer experience, while important, is not the primary success factor.


Posted 2018/6/28 14:56:40  |  Category: ISACA  |  Tag: CISM Reliable Test BraindumpsNew Examcollection CISMCISMISACA
← 7391X Latest Braindumps Files - 7391X Standard Answers Best Exercises Of Veeam Certification VMCE_V9 Key Concepts Exam And Answers →
Recent Posts
HP HP2-B149 Reliable Exam Collection Free Exam Practice Questions And Answers
HP HPE0-S22 Exam Cram Pdf Questions And Answers
PRINCE2-Foundation Valid Exam Voucher & PRINCE2-Foundation Latest Test Topics Pdf
MB2-718 Reliable Dumps Free Download & MB2-718 Valid Test Questions And Answers
70-357 Latest Dumps - 70-357 Exam Notes
MB6-892 Reliable Test Cram - MB6-892 Exam Collection Pdf
HPE0-S48 Latest Test Fee & HPE0-S48 Detail Explanation
C9060-521 Valid Exam Simulator Free - C9060-521 Most Reliable Questions
Archives
August 2018
July 2018
June 2018
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
Categories
1z0-417 pdf vce
AACE International
ACAMS
ACSM
Admission Test
Adobe
AFP
Alfresco
AMA
Amazon
Android
API
APICS
Apple
Arista
Aruba
ASIS
ASQ
Avaya
Axis
BACB
BICSI
Blue Coat
Business Architecture Guild
C Institute
CA
CFA
CheckPoint
Cisco
Citrix
CIW
Cloudera
CompTIA
CPA
CWNP
Dell
DMI
EC-COUNCIL
EMC
EXIN
F5
FileMaker
FINRA
Fortinet
GAQM
GARP
GED
Genesys
GIAC
Google
Tags
400-051 AACE International Adobe Amazon API APICS Aruba ASQ Avaya CheckPoint Cisco Citrix Cloudera CompTIA EC-COUNCIL EXIN F5 Fortinet GAQM GARP GIAC HP IBM IIA Informatica ISC ISQI Juniper Lpi Microsoft NCLEX Network Appliance Novell Oracle Palo Alto Networks Pegasystems PMI QlikView Salesforce SAP SASInstitute Veeam Veritas VMware Zend-Technologies