Isaca- CISM

Question ID 16806	Who should be responsible for enforcing access rights to application data?
Option A	Data owners
Option B	Business process owners
Option C	The security steering committee
Option D	Security administrators
Correct Answer	D

Description Explanation: As custodians, security administrators are responsible for enforcing access rights to data. Data owners are responsible for approving these access rights. Business process owners are sometimes the data owners as well, and would not be responsible for enforcement. The security steering committee would not be responsible for enforcement.
Update Date and Time 2017-12-29 04:29:26

 

Question ID 16807	The MOST important component of a privacy policy is:
Option A	notifications.
Option B	warranties.
Option C	liabilities.
Option D	geographic coverage.
Correct Answer	A

Description Explanation: Privacy policies must contain notifications and opt-out provisions: they are a high-level management statement of direction. They do not necessarily address warranties, liabilities or geographic coverage, which are more specific.
Update Date and Time 2017-12-29 04:30:17

Question ID 16808	Investment in security technology and processes should b e based on:
Option A	clear alignment with the goals and objectives of the organization.
Option B	success cases that have been experienced in previous projects.
Option C	best business practices.
Option D	safeguards that are inherent in existing technology.
Correct Answer	A

Description Explanation: Organization maturity level for the protection of information is a clear alignment with goals and objectives of the organization. Experience in previous projects is dependent upon other business models which may not be applicable to the current model. Best business practices may not be applicable to the organization's business needs. Safeguards inherent to existing technology are low cost but may not address all business needs and/or goals of the organization.
Update Date and Time 2017-12-29 04:30:59

 

Question ID 16809	A security manager is preparing a report to obtain the commitment of executive management to a security program. Inclusion of which of the following would be of MOST value?
Option A	Examples of genuine incidents at similar organizations
Option B	Statement of generally accepted best practices
Option C	Associating realistic threats to corporate objectives
Option D	Analysis of current technological exposures
Correct Answer	C

Description Explanation: Linking realistic threats to key business objectives will direct executive attention to them. All other options are supportive but not of as great a value as choice C when trying to obtain the funds for a new program.
Update Date and Time 2017-12-29 04:31:40

Question ID 16810	When a security standard conflicts with a business objective, the situation should be resolved by:
Option A	changing the security standard.
Option B	changing the business objective.
Option C	performing a risk analysis.
Option D	authorizing a risk acceptance.
Correct Answer	C

Description Explanation: Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.
Update Date and Time 2017-12-29 04:32:22

 

Question ID 16811	Minimum standards for securing the technical infrastructure should be defined in a security:
Option A	strategy.
Option B	guidelines.
Option C	model.
Option D	architecture.
Correct Answer	D

Description Explanation: Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.
Update Date and Time 2017-12-29 04:35:34

Question ID 16812	An information security manager must understand the relationship between information security and business operations in order to:
Option A	support organizational objectives.
Option B	determine likely areas of noncompliance.
Option C	assess the possible impacts of compromise.
Option D	understand the threats to the business.
Correct Answer	A

Description Explanation: Security exists to provide a level of predictability for operations, support for the activities of the organization and to ensure preservation of the organization. Business operations must be the driver for security activities in order to set meaningful objectives, determine and manage the risks to those activities, and provide a basis to measure the effectiveness of and provide guidance to the security program. Regulatory compliance may or may not be an organizational requirement. If compliance is a requirement, some level of compliance must be supported but compliance is only one aspect. It is necessary to understand the business goals in order to assess potential impacts and evaluate threats. These are some of the ways in which security supports organizational objectives, but they are not the only ways.
Update Date and Time 2017-12-29 04:36:18

 

Question ID 16813	Which of the following should be the FIRST step in developing an information security plan?
Option A	Perform a technical vulnerabilities assessment
Option B	Analyze the current business strategy
Option C	Perform a business impact analysis
Option D	Assess the current levels of security awareness
Correct Answer	B

Description Explanation: Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.
Update Date and Time 2017-12-29 04:37:12

Question ID 16814	Information security governance is PRIMARILY driven by:
Option A	technology constraints.
Option B	regulatory requirements.
Option C	litigation potential.
Option D	business strategy.
Correct Answer	D

Description Explanation: Governance is directly tied to the strategy and direction of the business. Technology constraints, regulatory requirements and litigation potential are all important factors, but they are necessarily in line with the business strategy.
Update Date and Time 2017-12-29 04:37:52

 

Question ID 16815	When developing an information security program, what is the MOST useful source of information for determining available resources?
Option A	Proficiency test
Option B	Job descriptions
Option C	Organization chart
Option D	Skills inventory
Correct Answer	D

Description Explanation: A skills inventory would help identify- the available resources, any gaps and the training requirements for developing resources. Proficiency testing is useful but only with regard to specific technical skills. Job descriptions would not be as useful since they may be out of date or not sufficiently detailed. An organization chart would not provide the details necessary to determine the resources required for this activity.
Update Date and Time 2017-12-29 04:38:28