CISM Practice Exam Dumps Can Help You Prepare Exam Well - Valid IT Exam Dumps Questions

CISM Practice Exam Dumps Can Help You Prepare Exam Well – Valid IT Exam Dumps Questions 23.10.
23.10.2021, 20:08
Home Huawei Dumps Microsoft Dumps Vmware Dumps DELL EMC Dumps
Fortinet Dumps
Home ! ISACA ! Isaca Certificaton ! CISM Practice Exam Dumps Can Help You Prepare Exam Well
JUNE 19, 2020
CISM Practice Exam

Dumps Can Help You
Prepare Exam Well
Search this site... Search
Why choosing CISM practice exam dumps online? We can be
sure that you can get the biggest help to prepare for your
Certified Information Security Manager exam well. Certified
Information Security Manager (CISM) is issued by ISACA, which Latest Free Dumps
indicates expertise in information security governance, program
development and management, incident management and risk Get SAP Certification
management. We collect CISM practice exam dumps online for C_THR89_2105 Dumps
doing your best preparation. Questions For Well-Prepared
October 23, 2021
Here, you can read CISM free Pass Cisco Collaboration

Servers and Appliances (CSA)
dumps online. Exam With Updated 500-325
Dumps October 23, 2021
Congratulations - you have completed this Updated CS0-002 Dumps

exam. Questions – Actual CS0-002
Questions And Answers For
https://www.dumpsbase.com/freedumps/cism-practice-exam-dumps-can-help-you-prepare-exam-well.html Page 1 of 54
CISM Practice Exam Dumps Can Help You Prepare Exam Well – Valid IT Exam Dumps Questions 23.10.2021, 20:08
Your answers are shown below: Passing October 23, 2021
Good C_TADM70_21 Dumps

1. Which of the following should be the FIRST step in Questions For OS/DB Migration
developing an information security plan? for SAP NetWeaver 7.52 Exam

October 22, 2021
Perform a technical vulnerabilities assessment
Analyze the current business strategy Nutanix Certified Services
Perform a business impact analysis Consultant (NCSC): Level 1
Assess the current levels of security awareness NCSC Level-1 Exam Dumps
Question was not answered October 22, 2021
Using HPE OneView

Explanation: Certification HPE2-T37 Dumps
Questions Online October 22,
Prior to assessing technical vulnerabilities or levels of security 2021
awareness, an information security manager needs to gain an
understanding of the current business strategy and direction. A Get Updated SAP Certification
C_S4EWM_1909 Dumps
business impact analysis should be performed prior to
Questions To Prepare For
developing a business continuity plan, but this would not be an
Exam Well October 21, 2021
appropriate first step in developing an information security
strategy because it focuses on availability Selling HP Personal Systems
Security 2020 Certification
Exam HP2-I05 Dumps
2. Senior management commitment and support for Questions October 21, 2021
information security can BEST be obtained through
Updated Nutanix Certification
presentations that:
NCSE Core Exam Dumps
use illustrative examples of successful attacks.
Questions Online October 21,
explain the technical risks to the organization.
2021
evaluate the organization against best security practices.
tie security risks to key business objectives. SAP Solution Manager
Question was not answered Certification C_SM100_7210
Dumps Questions Online
October 20, 2021
Explanation:
Senior management seeks to understand the business

justification for investing in security. This can best be Categories
accomplished by tying security to key business objectives.
AACE (1)
Senior management will not be as interested in technical risks
or examples of successful attacks if they are not tied to the Professional Level
impact on business environment and objectives. Industry best Certifications (1)
practices are important to senior management but, again, senior AAFM (2)
management will give them the right level of importance when Chartered Trust and Estate
they are presented in terms of key business objectives. Planner (1)
Chartered Wealth Manager

(1)
3. The MOST appropriate role for senior management in
supporting information security is the:
ABA (2)
evaluation of vendors offering security products.
assessment of risks to the organization. CRCM Certification (1)
approval of policy statements and funding.
monitoring adherence to regulatory requirements. ACAMS (7)
Question was not answered CAMS Certification (7)
ACE (1)
Explanation:
Personal Trainer (1)
Since the members of senior management are ultimately
responsible for information security, they are the ultimate ACFE (3)
decision makers in terms of governance and direction. They are
Certified Fraud Examiner (3)
responsible for approval of major policy statements and
requests to fund the information security practice. Evaluation of
ACI (1)
vendors, assessment of risks and monitoring compliance with
regulatory requirements are day-to-day responsibilities of the ACI-Financial Markets
information security manager; in some organizations, business Association (1)
management is involved in these other activities, though their
primary role is direction and governance. Acquia (1)
Drupal 8 Certification (1)
4. Which of the following would BEST ensure the success ACT (2)
of information security governance within an organization?
ACT English Test (1)
Steering committees approve security projects
Security policy training provided to all managers ACT Mathematics Test (1)
Security training available to all employees on the
intranet
Admission Test (2)
Steering committees enforce compliance with laws and
regulations Graduate Management
Question was not answered Admission Test (1)
Graduate Record
Examinations (1)
Explanation:
The existence of a steering committee that approves all security AHIMA (1)
projects would be an indication of the existence of a good Registered Health Information

governance program. Compliance with laws and regulations is Administrator (RHIA®) (1)
part of the responsibility of the steering committee but it is not a
full answer. Awareness training is important at all levels in any AHLEI (1)
medium, and also an indicator of good governance. Certified Hotel Administrator
(CHA) (1)
However, it must be guided and approved as a security project
by the steering committee.
AICPA (1)
AICPA Exam (1)
5. Information security governance is PRIMARILY driven by:

AIWMI (1)
technology constraints.
regulatory requirements. Certified Credit Research
litigation potential. Analyst (1)
business strategy.
Question was not answered Alcatel Lucent (7)
Alcatel-Lucent Certifications
(7)
Explanation:
Alfresco (4)
Governance is directly tied to the strategy and direction of the
business. Technology constraints, regulatory requirements and ACSCA Certification (1)
litigation potential are all important factors, but they are
Alfresco Certification (1)
necessarily in line with the business strategy.
APSCE Certification (1)
Process Services
6. Which of the following represents the MAJOR focus of
Administrator (1)
privacy regulations?
Unrestricted data mining
AliCloud (8)
Identity theft
Human rights protection ACP Certification (1)
Identifiable personal data
Alibaba Cloud Associate
Question was not answered
(ACA) (6)
Alibaba Cloud Certification

Explanation:
Associate (1)
Protection of identifiable personal data is the major focus of

Amazon (2)
recent privacy regulations such as the Health Insurance
Portability and Accountability Act (HIPAA). Data mining is an AWS Certified Security –
accepted tool for ad hoc reporting; it could pose a threat to Specialty (1)
privacy only if it violates regulator)' provisions. Identity theft is a DevOps-Engineer (1)

potential consequence of privacy violations but not the main
focus of many regulations. Human rights addresses privacy Android (3)
issues but is not the main focus of regulations.
Android Certified Application
Developer (1)
7. Investments in information security technologies should Android certified Application

be based on: Engineer (2)
vulnerability assessments.
value analysis. APA (1)
business climate. AICP Certification (1)
audit recommendations.
Question was not answered APBM (1)
CBM Certifications (1)
Explanation:
APICS (2)
Investments in security technologies should be based on a CLTD Certification (1)
value analysis and a sound business case. Demonstrated value
takes precedence over the current business climate because it CPIM Certification (1)
is ever changing. Basing decisions on audit recommendations
would be reactive in nature and might not address the key Apple (1)
business needs comprehensively. Vulnerability assessments are Apple Certified iOS Technician
useful, but they do not determine whether the cost is justified. (ACiT) 2019 (1)
Arista (1)
8. Retention of business records should PRIMARILY be
Arista Certification (1)
based on:
business strategy and direction. Aruba (1)
regulatory and legal requirements.
Aruba ACMP (1)
storage capacity and longevity.
business ease and value analysis.
ASIS (1)
Certified Protection
Professional (1)
Explanation:
ASQ (1)
Retention of business records is generally driven by legal and
regulatory requirements. Business strategy and direction would Quality Improvement
Associate (1)
not normally apply nor would they override legal and regulatory
requirements. Storage capacity and longevity are important but
secondary issues. Business case and value analysis would be Atlassian (2)
secondary to complying with legal and regulatory requirements. Jira Administrator (1)
Jira Project Administrator (1)
9. Which of the following is characteristic of centralized

information security management? Auldhouse (1)
More expensive to administer MSPF Certification (1)

Better adherence to policies
More aligned with business unit needs Autodesk (2)
Faster turnaround of requests
Autodesk Certified
Question was not answered Professional (1)
Autodesk Maya (1)

Explanation:
Automation Anywhere (1)

Centralization of information security management results in
greater uniformity and better adherence to security policies. It is RPA Certifications (1)
generally less expensive to administer due to the economics of
scale. Avaya (46)
ACDS (4)
However, turnaround can be slower due to the lack of alignment
with business units. ACIS (14)
ACSS (22)
10. Successful implementation of information security APDS (3)

governance will FIRST require:
APSS (2)
security awareness training.
updated security policies. Avaya-Certification (1)
a computer incident management team.
a security architecture.
Aviatrix (2)
ACE Certifications (2)
Explanation: Axis (1)
Axis Certified Professional (1)

Updated security policies are required to align management
objectives with security procedures; management objectives
BACB (1)
translate into policy; policy translates into procedures. Security
procedures will necessitate specialized teams such as the BACB certification (1)
computer incident response and management group as well as
specialized tools such as the security mechanisms that BCM Institute (1)
comprise the security architecture. Security awareness will BCMS Audit Certification (1)
promote the policies, procedures and appropriate use of the
security mechanisms. BCS (7)
Business Analysis
Certifications (4)
11. Which of the following individuals would be in the BEST
position to sponsor the creation of an information security Information security and CCP
steering group? scheme certifications (1)
Information security manager PRINCE2 Foundation (1)

Chief operating officer (COO)
Internal auditor Software testing (1)
Legal counsel
Question was not answered BICSI (2)
RCDD Certification (2)
Explanation:
Blockchain (5)
The chief operating officer (COO) is highly-placed within an Blockchain Certifications (2)
organization and has the most knowledge of business
operations and objectives. The chief internal auditor and chief Certified Blockchain
legal counsel are appropriate members of such a steering Developer (2)
group.
Certified Blockchain Solution
Architect (1)
However, sponsoring the creation of the steering committee
should be initiated by someone versed in the strategy and
BluePrism (8)
direction of the business. Since a security manager is looking to
this group for direction, they are not in the best position to Developer (2)
oversee formation of this group.
Installation Engineer (1)
Professional Developer (1)

12. The MOST important component of a privacy policy is:
ROM Architect (2)
notifications.
warranties. Solution Designer (1)
liabilities.
geographic coverage. Technical Architect (1)
CA (1)
CA Unified Infrastructure
Explanation:
Management (1)
Privacy policies must contain notifications and opt-out

CFA Institute (3)
provisions: they are a high-level management statement of Level 1 CFA Exam (1)
direction. They do not necessarily address warranties, liabilities
or geographic coverage, which are more specific. Level 2 CFA Exam (1)
Level 3 CFA Exam (1)
13. The cost of implementing a security control should not

Check Point (16)
exceed the:
annualized loss expectancy. CCSA (4)
cost of an incident.
CCSE (7)
asset value.
implementation opportunity costs. CCSM (2)
CCTE (2)
SandBlast (1)
Explanation:
The cost of implementing security controls should not exceed CIMA (13)
the worth of the asset. Annualized loss expectancy represents Certificate in Business
the losses drat are expected to happen during a single calendar Accounting (6)
year. A security mechanism may cost more than this amount (or
the cost of a single incident) and still be considered cost CIMA certification (2)
effective. Opportunity costs relate to revenue lost by forgoing
Professional Qualification (6)
the acquisition of an item or the making of a business decision.
Cisco (423)
Additional Online Exams for

14. When a security standard conflicts with a business
Validating Knowledge (2)
objective, the situation should be resolved by:
changing the security standard. Advanced Collaboration
changing the business objective. Architecture Specialization (4)
performing a risk analysis.
authorizing a risk acceptance. Advanced Enterprise
Networks Architecture
Specialization (2)
Advanced Routing and

Explanation:
Switching (1)
Conflicts of this type should be based on a risk analysis of the Advanced Video
costs and benefits of allowing or disallowing an exception to the Specialization (1)
standard. It is highly improbable that a business objective could
be changed to accommodate a security standard, while risk CCDA (4)
acceptance* is a process that derives from the risk analysis.
CCDE (4)
15. Minimum standards for securing the technical CCDP (10)

infrastructure should be defined in a security:
CCE (1)
strategy.
guidelines. CCENT (1)
model.
architecture. CCIE (15)
CCIE Collaboration (1)
CCIE Data Center (5)

Explanation:
CCIE Security (6)
Minimum standards for securing the technical infrastructure
should be defined in a security architecture document. This CCIE Service Provider (3)
document defines how components are secured and the
CCIE Wireless (2)
security services that should be in place. A strategy is a broad,
high-level document. A guideline is advisory in nature, while a CCNA (19)
security model shows the relationships between components.
CCNA Cloud (4)
CCNA Collaboration (9)

16. Which of the following is MOST appropriate for
inclusion in an information security strategy? CCNA Cyber Ops (8)
Business controls designated as key controls
CCNA Data Center (6)
Security processes, methods, tools and techniques
Firewall rule sets, network defaults and intrusion detection
CCNA Routing and Switching
system (IDS) settings
(10)
Budget estimates to acquire specific security tools
Question was not answered CCNA Security (5)
CCNA SP (2)
Explanation:
CCNA Wireless (3)
A set of security objectives, processes, methods, tools and
CCNP (20)
techniques together constitute a security strategy. Although IT
and business governance are intertwined, business controls CCNP Cloud (6)
may not be included in a security strategy. Budgets will
generally not be included in an information security strategy. CCNP Collaboration (32)
Additionally, until information security strategy is formulated and
CCNP Data Center (41)
implemented, specific tools will not be identified and specific
cost estimates will not be available. Firewall rule sets, network CCNP Enterprise (40)
defaults and intrusion detection system (IDS) settings are
technical details subject to periodic change, and are not CCNP Security (38)
appropriate content for a strategy document.
CCNP Service Provider (14)
CCNP Wireless (13)

17. Senior management commitment and support for
information security will BEST be attained by an CCT Data Center (1)
information security manager by emphasizing:
CCT Routing & Switching (2)
organizational risk.
organization wide metrics. Cisco Business Architecture
security needs. Analyst (5)
the responsibilities of organizational units.
Cisco Business Architecture
Practitioner (1)
Cisco Business Value

Explanation:
Practitioner (1)
Information security exists to help the organization meet its Cisco Business Value
objectives. The information security manager should identify Specialist (1)
information security needs based on organizational needs.
Organizational or business risk should always take precedence. Cisco Certified CyberOps
Involving each organizational unit in information security and Associate (4)
establishing metrics to measure success will be viewed
Cisco Certified CyberOps
favorably by senior management after the overall organizational
Professional (3)
risk is identified.
Cisco Certified DevNet
Associate (5)
18. Which of the following roles would represent a conflict
Cisco Certified DevNet
of interest for an information security manager?
Professional (8)
Evaluation of third parties requesting connectivity
Assessment of the adequacy of disaster recovery plans Cisco Certified Specialist (1)
Final approval of information security policies
Monitoring adherence to physical security controls Cisco cloud (1)
Question was not answered Cisco Collaboration SaaS

Authorization (1)
Explanation: Cisco Collaboration Servers

and Appliances Role (3)
Since management is ultimately responsible for information
security, it should approve information security policy Cisco Customer Success
statements; the information security manager should not have Manager Specialist (2)
final approval. Evaluation of third parties requesting access,
assessment of disaster recovery plans and monitoring of Cisco Meraki Solutions

compliance with physical security controls are acceptable Specialist (1)
practices and do not present any conflicts of interest.
Cisco Network
Programmability Design and
Implementation Specialist (1)
19. Which of the following situations must be corrected
FIRST to ensure successful information security Cisco Online Exams (1)
governance within an organization?
Cisco Renewals Manager (4)
The information security department has difficulty filling
vacancies.
Cisco Specialist (2)
The chief information officer (CIO) approves security policy
changes.
Cisco Specialist Certifications
The information security oversight committee only
meets quarterly. (37)
The data center manager has final signoff on all security
Cisco Unified Contact Center
projects.
Enterprise Specialist (3)
CyberOps Associate (3)
Explanation: ENUAE (2)
A steering committee should be in place to approve all security Express Collaboration

projects. The fact that the data center manager has final signoff Specialization (6)
for all security projects indicates that a steering committee is not
Express Security
being used and that information security is relegated to a
Specialization (2)
subordinate place in the organization. This would indicate a
failure of information security governance. It is not inappropriate Express Specialization (3)
for an oversight or steering committee to meet quarterly.
Similarly, it may be desirable to have the chief information Express Specialization Small
officer (CIO) approve the security policy due to the size of the Business (2)
organization and frequency of updates. Difficulty in filling
Other Cisco Certifications (5)
vacancies is not uncommon due to the shortage of good,
qualified information security professionals.
Citrix (26)
CCA-AppDS (2)
20. Which of the following requirements would have the

CCA-N (3)
lowest level of priority in information security?
Technical CCA-V (6)
Regulatory
CCE-N (1)
Privacy
Business
CCE-V (5)
CCP-AppDS (2)
Explanation: CCP-N (4)
Information security priorities may, at times, override technical CCP-V (5)

specifications, which then must be rewritten to conform to
minimum security standards. Regulatory and privacy CIW (2)
requirements are government-mandated and, therefore, not
CIW User Interface Designer
subject to override. The needs of the business should always (1)
take precedence in deciding information security priorities.
CIW Web and Mobile Design
Series (1)
21. When an organization hires a new information security
manager, which of the following goals should this CloudBees (1)
individual pursue FIRST? Jenkins Engineer (1)
Develop a security architecture
Establish good communication with steering committee Cloudera (1)
members
Assemble an experienced staff Cloudera Certified Associate
Benchmark peer organizations (CCA) (1)

CMT Association (1)
CMT Program (1)

Explanation:
CNCF (1)
New information security managers should seek to build rapport
and establish lines of communication with senior management CKA Certification (1)
to enlist their support. Benchmarking peer organizations is
beneficial to better understand industry best practices, but it is CompTIA (113)
secondary to obtaining senior management support. Similarly, A+ (27)
developing a security architecture and assembling an
experienced staff are objectives that can be obtained later. CASP (3)
CompTIA Advanced Security

Practitioner (1)
22. It is MOST important that information security
architecture be aligned with which of the following? CompTIA CASP (7)
Industry best practices
CompTIA Cloud Essentials (2)
Information technology plans
Information security best practices CompTIA Cloud Essentials+
Business objectives and goals (2)
CompTIA Cloud+ (6)
Explanation:
CompTIA CySA+ (9)
Information security architecture should always be properly CompTIA IT Fundamentals (2)

aligned with business goals and objectives. Alignment with IT
plans or industry and security best practices is secondary by CompTIA Network+ (14)
comparison.
CompTIA PenTest+ (6)
CompTIA Project+ (5)

23. Which of the following is MOST likely to be
CompTIA Security+ (17)
discretionary?
Policies CTT+ (1)
Procedures
Guidelines Linux+ (6)
Standards
Server+ (6)
Copado (1)
Explanation: Copado Certifications (1)
Policies define security goals and expectations for an CPA (1)

organization. These are defined in more specific terms within
Certified public accountant (1)
standards and procedures. Standards establish what is to be
done while procedures describe how it is to be done. Guidelines
provide recommendations that business management must CSA (1)
consider in developing practices within their areas of control; as Cloud Security Knowledge (1)
such, they are discretionary.
CWAP (1)
CWAP (Wi-Fi Analysis) (1)

24. Security technologies should be selected PRIMARILY
on the basis of their: CWNP (9)
ability to mitigate business risks.
CWDP Certifications (1)
evaluations in trade publications.
use of new and emerging technologies. CWNA Certification (3)
benefits in comparison to their costs.
Question was not answered CWS Certification (1)
CWSA Certification (1)

Explanation:
CWSP Certification (2)
The most fundamental evaluation criterion for the appropriate CWT Certification (1)
selection of any security technology is its ability to reduce or
eliminate business risks. Investments in security technologies CyberArk (7)

should be based on their overall value in relation to their cost; CyberArk CDE Recertification
the value can be demonstrated in terms of risk mitigation. This (1)
should take precedence over whether they use new or exotic
technologies or how they are evaluated in trade publications. CyberArk Certified Delivery
Engineer (CDE) (3)
CyberArk Defender (2)

25. Which of the following are seldom changed in response
to technological changes? CyberArk Sentry (1)
Standards
Procedures DAMA (2)
Policies CDMP Certification (2)
Guidelines
Question was not answered DELL EMC (102)
Backup Recovery (EMCBA)

Explanation: (1)
Cloud Architect (EMCCA) (6)

Policies are high-level statements of objectives. Because of
their high-level nature and statement of broad operating Data Scientist (1)
principles, they are less subject to periodic change. Security
standards and procedures as well as guidelines must be revised DCA-ISM (8)
and updated based on the impact of technology changes.
DCE (1)
DCS-IE (12)
26. The MOST important factor in planning for the long-term
retention of electronically stored business records is to DCS-SA (2)
take into account potential changes in:
DCS-TA (4)
storage capacity and shelf life.
regulatory and legal requirements. DECA-CIS (2)
business strategy and direction.
application systems and media. DECA-CSHC (2)
Question was not answered DECA-PowerEdge (3)
DECE-IE (1)
Explanation:
DECS (1)
Long-term retention of business records may be severely
impacted by changes in application systems and media. For DECS-IE (3)
example, data stored in nonstandard formats that can only be

Dell Certification (1)
read and interpreted by previously decommissioned applications
may be difficult, if not impossible, to recover. Business strategy Dell Certified (1)
and direction do not generally apply, nor do legal and regulatory
Elastic Cloud Storage (ECS)
requirements. Storage capacity and shelf life are important but
(2)
secondary issues.
Elastic Cloud Storage (SA) (2)
27. Which of the following is characteristic of decentralized EMC Certification (12)
information security management across a geographically

EMC Networking (1)
dispersed organization?
More uniformity in quality of service EMC Specialist (3)
Better adherence to policies
Better alignment to business unit needs EMCCIS (1)
More savings in total operating costs

Implementation Engineer
Question was not answered (EMCIE) (12)
Isilon Solutions (TA) (1)

Explanation:
Platform Engineer (1)
Decentralization of information security management generally
Product/Technology Specific
results in better alignment to business unit needs. It is generally
(1)
more expensive to administer due to the lack of economies of
scale. Uniformity in quality of service tends to vary from unit to Storage Administrator
unit. (EMCSA) (1)
Technology Architect (8)
28. Which of the following is the MOST appropriate position

Technology Foundations (4)
to sponsor the design and implementation of a new
security infrastructure in a large global enterprise? VMAX3 Solutions (SA) (4)
Chief security officer (CSO)
Chief operating officer (COO) Docker (2)
Chief privacy officer (CPO)
Docker Certified (2)
Chief legal counsel (CLC)
Question was not answered DSCI (2)
DSCI Certifications (2)

Explanation:
DumpsBase Exam News (28)
The chief operating officer (COO) is most knowledgeable of
business operations and objectives. The chief privacy officer Esri (3)
(CPO) and the chief legal counsel (CLC) may not have the Desktop Certifications (3)
knowledge of the day- to-day business operations to ensure
proper guidance, although they have the same influence within EXIN (8)
the organization as the COO. Although the chief security officer EXIN BCS SIAM™ (1)
(CSO) is knowledgeable of what is needed, the sponsor for this
task should be someone with far-reaching influence across the Exin Certification (1)
organization.
EXIN DevOps Foundation (1)
EXIN Foundation (1)

29. Which of the following would be the MOST important
goal of an information security governance program? EXIN Information Security
Management ISO/IEC 27001
Review of internal control mechanisms
(1)
Effective involvement in business decision making
Total elimination of risk factors EXIN TMap® Suite (1)
Ensuring trust in data
Question was not answered ITSM (1)
Privacy & Data Protection

Explanation: Foundation (1)
The development of trust in the integrity of information among F5 (2)

stakeholders should be the primary goal of information security F5 BIG-IP Administrator (1)
governance. Review of internal control mechanisms relates
more to auditing, while the total elimination of risk factors is not LTM Specialist (1)
practical or possible. Proactive involvement in business decision
making implies that security needs dictate business needs Facebook Blueprint (1)
when, in fact, just the opposite is true. Involvement in decision
Blueprint Certifications (1)
making is important only to ensure business data integrity so
that data can be trusted.
Financial Industry Regulatory
Authority (3)
FINRA Certification (1)

30. Relationships among security technologies are BEST
defined through which of the following? GS Certification (1)
Security metrics
Network topology NASAA Certification (1)
Security architecture
Process improvement models Fortinet (51)
Question was not answered Network Security Expert

Program (4)
Explanation: NSE 5 (11)
Security architecture explains the use and relationships of NSE 6 Network Security
security mechanisms. Security metrics measure improvement Specialist (3)

within the security practice but do not explain the use and
NSE 7 (7)
relationships of security technologies.
NSE 7 Network Security

Process improvement models and network topology diagrams
Architect (4)
also do not describe the use and relationships of these
technologies. NSE4 (17)
NSE6 (8)
31. A business unit intends to deploy a new technology in a NSE8 (3)

manner that places it in violation of existing information
security standards. GAQM (7)
Business & Process

What immediate action should an information security
Management Certifications (1)
manager take?
Enforce the existing security standard CPEH Certification (1)
Change the standard to permit the deployment
Perform a risk analysis to quantify the risk CSTIL Certification (1)
Perform research to propose use of a better technology
GAQM certification (1)
GAQM: Data Centre (1)
Explanation: GAQM: ISO (2)
Resolving conflicts of this type should be based on a sound risk GARP (1)
analysis of the costs and benefits of allowing or disallowing an
Financial Risk and Regulation
exception to the standard. A blanket decision should never be
(1)
given without conducting such an analysis. Enforcing existing
standards is a good practice; however, standards need to be
Genesys (8)
continuously examined in light of new technologies and the risks
they present. Standards should not be changed without an GCP-GC (6)
appropriate risk assessment.
Genesys Certification (2)
GIAC (7)
32. Acceptable levels of information security risk should be
determined by: Critical Controls (1)
legal counsel. Cyber Security Certification

security management. (3)
external auditors.
die steering committee. GIAC Information Security (2)
GIAC Python Coder (1)
Explanation:
H3C (1)
Senior management, represented in the steering committee, H3CNE (1)

has ultimate responsibility for determining what levels of risk the
organization is willing to assume. Legal counsel, the external HashiCorp (4)
auditors and security management are not in a position to make
Terraform Associate (3)
such a decision.
Vault Associate (1)
33. The PRIMARY goal in developing an information Hitachi (2)

security strategy is to: Installation and Support (1)
establish security metrics and performance monitoring.
educate business process owners regarding their duties. Performance Architect (1)
ensure that legal and regulatory requirements are met
support the business objectives of the organization. Hortonworks (1)
Question was not answered HCAHD (1)
HP (107)
Explanation:
Aruba Certified ClearPass
The business objectives of the organization supersede all other Associate (ACCA) (2)
factors. Establishing metrics and measuring performance,
meeting legal and regulatory requirements, and educating
Professional (ACCP) (2)
business process owners are all subordinate to this overall goal.
Professional (ACCP) V6.5 (2)
34. Senior management commitment and support for
Aruba Certified Design
information security can BEST be enhanced through:
Associate (ACDA) (1)
a formal security policy sponsored by the chief
executive officer (CEO).
Aruba Certified Design Expert
regular security awareness training for employees.
(ACDX) V8 (2)
periodic review of alignment with business management
goals.
Aruba Certified Design
senior management signoff on the information security
Professional (ACDP) (1)
strategy.
Question was not answered Aruba Certified Mobility
Associate (ACMA) (5)
Explanation: Aruba Certified Mobility Expert

(ACMX) (4)
Ensuring that security activities continue to be aligned and
support business goals is critical to obtaining their support. Aruba Certified Mobility
Although having the chief executive officer (CEO) signoff on the Professional (ACMP) V6.4 (4)
security policy and senior management signoff on the security
Aruba Certified Switching
strategy makes for good visibility and demonstrates good tone
Associate (ACSA) V1 (8)
at the top, it is a one-time discrete event that may be quickly
forgotten by senior management. Security awareness training Aruba Certified Switching
for employees will not have as much effect on senior Professional (ACSP) (3)
management commitment.
Aruba Certified Switching
Professional (ACSP) V1 (4)
35. When identifying legal and regulatory issues affecting HP ACEAP (1)
information security, which of the following would
represent the BEST approach to developing information HP ASE (3)
security policies?
HP ATP (1)
Create separate policies to address each regulation
Develop policies that meet all mandated requirements HP Certification (7)
Incorporate policy statements provided by regulators
Develop a compliance risk assessment HP ExpertONE Certification
Question was not answered (3)
HP Product Certified (1)
Explanation:
HP Sales (2)
It will be much more efficient to craft all relevant requirements HP Sales Certified (2)
into policies than to create separate versions. Using statements
provided by regulators will not capture all of the requirements HPE ASE (22)
mandated by different regulators. A compliance risk assessment
HPE ATP (7)
is an important tool to verify that procedures ensure compliance
once the policies have been established. HPE Master ASE (4)
HPE Product Certified (3)
36. Which of the following MOST commonly falls within the

HPE Product Certified –
scope of an information security governance steering Aruba Data Center Network
committee? Specialist (1)
Interviewing candidates for information security
specialist positions HPE Product Certified –
Developing content for security awareness programs OneView [2022] (1)
Prioritizing information security initiatives
Approving access to critical financial systems HPE Sales Certified (9)
Question was not answered HPE Sales Certified – Edge-

to-Cloud [2021] (3)
Explanation:
HPE Support Services (1)
Prioritizing information security initiatives is the only appropriate

item. The interviewing of specialists should be performed by the Huawei (170)
information security manager, while the developing of program HCDA – OWS Developer (1)
content should be performed by the information security staff.
HCIA (2)
Approving access to critical financial systems is the
responsibility of individual system data owners.
HCIA-5G (3)
HCIA-Access (1)
37. Which of the following is the MOST important factor
HCIA-AI (2)
when designing information security architecture?
Technical platform interfaces HCIA-Big Data (4)
Scalability of the network
Development methodologies HCIA-Cloud Computing (2)
Stakeholder requirements
HCIA-Cloud Service (3)
HCIA-Data Center (1)
Explanation: HCIA-Datacom (2)
The most important factor for information security is that it HCIA-Intelligent Computing
advances the interests of the business, as defined by (2)
stakeholder requirements. Interoperability and scalability, as

HCIA-IoT (1)
well as development methodologies, are all important but are
without merit if a technologically-elegant solution is achieved HCIA-SDN (1)
that does not meet the needs of the business.
HCIA-Security (2)
HCIA-Storage (2)
38. Which of the following characteristics is MOST
important when looking at prospective candidates for the HCIA-WLAN (1)
role of chief information security officer (CISO)?
HCIE-Carrier IP (Written) (1)
Knowledge of information technology platforms,
networks and development methodologies
HCIE-Cloud (2)
Ability to understand and map organizational needs to
security technologies
HCIE-Cloud DataCenter
Knowledge of the regulatory environment and project
Operations (1)
management techniques
Ability to manage a diverse group of individuals and
HCIE-Cloud Service Solutions
resources across an organization
Architect (1)
HCIE-Data Center (2)
Explanation:
HCIE-Enterprise
Communication (1)
Information security will be properly aligned with the goals of the
business only with the ability to understand and map HCIE-Intelligent Computing
organizational needs to enable security technologies. All of the (1)
other choices are important but secondary to meeting business
security needs. HCIE-R&S (5)
HCIE-Storage (3)
39. Which of the following are likely to be updated MOST HCIP-AI-EI (1)
frequently?
HCIP-Big Data Developer (1)
Procedures for hardening database servers
Standards for password length and complexity HCIP-Carrier IP (1)
Policies addressing information security governance
Standards for document retention and destruction HCIP-Cloud Computing (2)
HCIP-Cloud Service Solutions
Architect (4)
Explanation:
HCIP-Datacom (1)
Policies and standards should generally be more static and less HCIP-LTE (1)
subject to frequent change. Procedures on the other hand,
especially with regard to the hardening of operating systems, HCIP-Routing&Switching (4)
will be subject to constant change; as operating systems
HCIP-Storage (1)
change and evolve, the procedures for hardening will have to
keep pace. HCIP-Transmission (1)
HCIP-WLAN (1)
40. Who should be responsible for enforcing access rights HCNA (5)
to application data?
Data owners HCNA-Big Data (1)
Business process owners
HCNA-CC (1)
The security steering committee
Security administrators HCNA-Cloud (3)
HCNA-Cloud Service (1)
Explanation: HCNA-DCF (1)
HCNA-HNTD (2)
As custodians, security administrators are responsible for
enforcing access rights to data. Data owners are responsible for HCNA-IoT (1)
approving these access rights. Business process owners are HCNA-LTE (2)
sometimes the data owners as well, and would not be
HCNA-LTE RNP & RNO (1)
responsible for enforcement. The security steering committee
would not be responsible for enforcement. HCNA-Security (1)
HCNA-Storage (2)
41. The chief information security officer (CISO) should
HCNA-Transmission (1)
ideally have a direct reporting relationship to the:
head of internal audit. HCNA-UC (2)
chief operations officer (COO).
chief technology officer (CTO). HCNA-VC (2)
legal counsel.
HCNA-WLAN (1)
HCNP (8)
Explanation: HCNP-Access Network (2)
The chief information security officer (CISO) should ideally HCNP-Big Data Developer (1)
report to as high a level within the organization as possible.

HCNP-CC (1)
Among the choices given, the chief operations officer (COO)
would have not only the appropriate level but also the HCNP-Cloud (5)
knowledge of day-to-day operations. The head of internal audit
and legal counsel would make good secondary choices, HCNP-DCF-BFDO (2)
although they would not be as knowledgeable of the operations.
HCNP-LTE (2)
Reporting to the chief technology officer (CTO) could become
problematic as the CTO's goals for the infrastructure might, at HCNP-LTE RNP (2)
times, run counter to the goals of information security.
HCNP-LTE RNP & RNO (2)
HCNP-R&S (11)
42. Which of the following is the MOST essential task for a
chief information security officer (CISO) to perform? HCNP-Security (7)
Update platform-level security settings
HCNP-Storage (6)
Conduct disaster recovery test exercises
Approve access to critical financial systems HCNP-Transmission (1)
Develop an information security strategy paper
Question was not answered HCNP-UC (2)
HCNP-VC (2)
Explanation:
HCNP-WLAN (3)
Developing a strategy paper on information security would be HCPA-ECC (1)
the most appropriate. Approving access would be the job of the HCPA-Storage (2)
data owner. Updating platform-level security and conducting
recovery test exercises would be less essential since these are HCPP-Storage (1)
administrative tasks.
HCS-5G RAN (1)
HCS-Field-IVS (1)
43. Developing a successful business case for the
acquisition of information security software products can HCS-Field-Server (2)
BEST be assisted by:
HCS-Field-Smart PV
assessing the frequency of incidents. Controller (1)
quantifying the cost of control failures.
calculating return on investment (ROD projections. HCS-Field-WLAN (1)
comparing spending against similar organizations.
HCS-Microwave Hardware
Installation (1)
HCS-Pre-Sale-IVS (1)
Explanation:
HCS-Pre-sales (1)
Calculating the return on investment (ROD will most closely
align security with the impact on the bottom line. Frequency and HCS-Pre-sales-Cloud (2)
cost of incidents are factors that go into determining the impact
HCS-Pre-Sales-IP
on the business but, by themselves, are insufficient. Comparing
Network(Datacom) (3)
spending against similar organizations can be problematic since
similar organizations may have different business goals and HCS-Pre-sales-IP(Security)
appetites for risk. (1)
HCS-Pre-sales-Server (2)
44. When an information security manager is developing a

HCS-Pre-sales-TP&VC (1)
strategic plan for information security, the timeline for the
plan should be: HCS-Wireless Hardware
aligned with the IT strategic plan. Installation(Wirtten) (1)
based on the current rate of technological change.
HCS-Wireless Hardware
three-to-five years for both hardware and software.
Installation(Written) (1)
aligned with the business strategy.
Question was not answered Huawei Specialist Certification
(8)
Explanation: Huawei-Pre-uc (1)
Any planning for information security should be properly aligned IAPP (11)
with the needs of the business. Technology should not come
Certified Information Privacy
before the needs of the business, nor should planning be done Professional (3)
on an artificial timetable that ignores business needs.
CIPM Certification (2)
CIPP/E Certification (4)

45. Which of the following is the MOST important
information to include in a strategic plan for information CIPT Certification (2)
security?
Information security staffing requirements IASSC (2)
Current state and desired future state Lean Six Sigma Black Belt (1)
IT capital investment requirements
information security mission statement Lean Six Sigma Green Belt
(1)
ICMA (1)
Explanation: Securities Operations
Foundation (1)
It is most important to paint a vision for the future and then draw
a road map from the stalling point to the desired future state.
ICP (2)
Staffing, capital investment and the mission all stem from this
foundation. ICP Programs (2)
IIA (5)
46. Information security projects should be prioritized on Certified Internal (3)

the basis of:
CIA Challenge (1)
time required for implementation.
impact on the organization. CRMA Certification (1)
total cost for implementation.
mix of resources required.
IIBA (6)
Agile Analysis Certification (1)
IIBA Certifications (5)

Explanation:
Infosys (1)
Information security projects should be assessed on the basis of
the positive impact that they will have on the organization. Time, Finacle Treasury (1)
cost and resource issues should be subordinate to this
objective. ISACA (9)
CISA Certificaton (2)
47. Which of the following is the MOST important Isaca Certificaton (7)
information to include in an information security standard?
Creation date iSAQB (1)

Author name
CPSA Certifications (1)
Initial draft approval date
Last review date
ISEB (1)
ISEB Certification (1)
Explanation: iSQI (4)
CTAL-TA_Syll2019
The last review date confirms the currency of the standard,
Certification (1)
affirming that management has reviewed the standard to assure
that nothing in the environment has changed that would iSQI Certifications (1)
necessitate an update to the standard. The name of the author
as well as the creation and draft dates are not that important. ISTQB CTFL (1)
Performance Testing (1)
48. Which of the following would BEST prepare an

ISTQB (6)
information security manager for regulatory reviews?
Advanced Level Syllabus
Assign an information security administrator as
regulatory liaison (2012) Test Manager (1)
Perform self-assessments using regulatory guidelines
and reports Advanced Level Test
Assess previous regulatory reports with process owners Automation Engineer (1)
input
Ensure all regulatory inquiries are sanctioned by the Foundation Level 2018 (2)
legal department
ISTQB Foundation Level (2)
ITIL (1)
Explanation: Intermediate Certification (1)
Self-assessments provide the best feedback on readiness and

JumpCloud (1)
permit identification of items requiring remediation. Directing
regulators to a specific person or department, or assessing JumpCloud Certification (1)
previous reports, is not as effective. The legal department
should review all formal inquiries but this does not help prepare Juniper (54)
for a regulatory review. JNCDA (3)
JNCDS-DC (3)
49. An information security manager at a global JNCDS-SEC (2)

organization that is subject to regulation by multiple
governmental jurisdictions with differing requirements JNCDS-SP (1)
should: JNCIA (2)

bring all locations into conformity with the aggregate
requirements of all governmental jurisdictions. JNCIA-Cloud (3)
establish baseline standards for all locations and add
supplemental standards as required. JNCIA-DevOps (4)
bring all locations into conformity with a generally accepted
set of industry best practices. JNCIA-Junos (2)
establish a baseline standard incorporating those
requirements that all jurisdictions have in common. JNCIA-SEC (1)
Question was not answered JNCIP-Cloud (1)
JNCIP-DC (5)
Explanation:
JNCIP-ENT (4)
It is more efficient to establish a baseline standard and then
JNCIP-SEC (3)
develop additional standards for locations that must meet
specific requirements. Seeking a lowest common denominator
JNCIP-SP (5)
or just using industry best practices may cause certain locations
to fail regulatory compliance. The opposite approach―forcing JNCIS-Cloud (1)
all locations to be in compliance with the regulations places an
undue burden on those locations. JNCIS-DevOps (2)
JNCIS-ENT (5)
50. Which of the following BEST describes an information JNCIS-SEC (6)

security manager's role in a multidisciplinary team that will
JNCIS-SP (2)
address a new regulatory requirement regarding
operational risk?
Lpi (23)
Ensure that all IT risks are identified
Evaluate the impact of information security risks DevOps Tools Engineer (1)
Demonstrate that IT mitigating controls are in place
LPI Linux Essentials (2)
Suggest new IT controls to mitigate operational risk
Question was not answered LPIC-1 (8)
LPIC-1: System Administrator

Explanation: (3)
The job of the information security officer on such a team is to LPIC-2 (4)
assess the risks to the business operation. Choice A is incorrect
LPIC-3 (6)
because information security is not limited to IT issues. Choice
C is incorrect because at the time a team is formed to assess
Magento (3)
risk, it is premature to assume that any demonstration of IT
controls will mitigate business operations risk. Choice D is Magento 2 Certification (1)
incorrect because it is premature at the time of the formation of Professional Cloud Developer
the team to assume that any suggestion of new IT controls will (2)
mitigate business operational risk.
Marketo (1)
Marketo Certified Expert (1)

51. From an information security manager perspective,
what is the immediate benefit of clearly-defined roles and McAfee (5)
responsibilities?
McAfee Certification (2)
Enhanced policy compliance
Improved procedure flows McAfee Certified Product
Segregation of duties Specialist (2)
Better accountability
McAfee Product Specialist (1)
MCFA (1)
Explanation: Forklift Certification (1)
Without well-defined roles and responsibilities, there cannot be

Microsoft (452)
accountability. Choice A is incorrect because policy compliance
requires adequately defined accountability first and therefore is Azure AI Engineer Associate
a byproduct. Choice B is incorrect because people can be (2)
assigned to execute procedures that are not well designed.
MCP (13)
Choice C is incorrect because segregation of duties is not
automatic, and roles may still include conflicting duties. MCSA (64)
MCSD (10)
52. An internal audit has identified major weaknesses over MCSE (43)
IT processing.
Microsoft 365 Certification
Which of the following should an information security (65)
manager use to BEST convey a sense of urgency to
Microsoft 365 Certified (1)
management?
Security metrics reports Microsoft Azure certification
Risk assessment reports (96)
Business impact analysis (BIA)
Return on security investment report Microsoft Azure Developer Special
(1)
Microsoft Azure Infrastructure Solu

(2)
Explanation:
Microsoft Certified: Azure
Performing a risk assessment will allow the information security Data Engineer Associate (3)
manager to prioritize the remedial measures and provide a
Microsoft Certified: Azure
means to convey a sense of urgency to management. Metrics
Network Engineer Associate
reports are normally contained within the methodology of the
(1)
risk assessment to give it credibility and provide an ongoing
tool. The business impact analysis (BIA) covers continuity risks Microsoft Certified: Azure
only. Return on security investment cannot be determined until a Stack Hub Operator Associate
plan is developed based on the BIA. (2)
Microsoft Certified: Dynamics

365 Commerce Functional
53. Reviewing which of the following would BEST ensure
Consultant Associate (1)
that security controls are effective?
Risk assessment policies Microsoft Certified: Identity
Return on security investment and Access Administrator
Security metrics Associate (3)
User access rights
Microsoft Certified:
Information Protection
Administrator Associate (3)
Explanation:
Microsoft Certified: Power
Platform Solution Architect
Reviewing security metrics provides senior management a
Expert (2)
snapshot view and trends of an organization's security posture.
Choice A is incorrect because reviewing risk assessment Microsoft Certified: Security
policies would not ensure that the controls are actually working. Compliance and Identity
Choice B is incorrect because reviewing returns on security Fundamentals (2)
investments provides business justifications in implementing
controls, but does not measure effectiveness of the control Microsoft Certified: Security
Operations Analyst Associate
itself. Choice D is incorrect because reviewing user access
(2)
rights is a joint responsibility of the data custodian and the data
owner, and does not measure control effectiveness. Microsoft Certified: Windows
Virtual Desktop Specialty (1)
54. Which of the following is responsible for legal and Microsoft Data Certification
(27)
regulatory liability?
Chief security officer (CSO) Microsoft Dynamics 365
Chief legal counsel (CLC) Certification (54)
Board and senior management
Information security steering group Microsoft Dynamics 365
Question was not answered Fundamentals (1)
Explanation: Microsoft Dynamics CRM (1)
The board of directors and senior management are ultimately Microsoft Office 365 (2)
responsible for all that happens in the organization. The others
Microsoft Office Specialist (1)
are not individually liable for failures of security in the
organization. Microsoft Power Platform (18)
Modern Desktop certification

(10)
55. While implementing information security governance an
organization should FIRST: MOS (5)
adopt security standards.
determine security baselines. MTA (19)
define the security strategy.
Windows Server 2012 (3)
establish security policies.
MongoDB (1)
MongoDB Certified DBA

Explanation: Associate (1)
The first step in implementing information security governance MRCPUK (1)

is to define the security strategy based on which security
Specialty Certificate
baselines are determined. Adopting suitable security- standards,
Examinations (1)
performing risk assessment and implementing security policy
are steps that follow the definition of the security strategy.
MuleSoft (12)
MCPA-Level 1 (4)
56. The MOST basic requirement for an information security MuleSoft Certified Architect
governance program is to: (2)
be aligned with the corporate business strategy.
be based on a sound risk management approach. MuleSoft Certified Developer
provide adequate regulatory compliance. (6)
provide best practices for security- initiatives.
Question was not answered NABP (2)
FPGEC Certification (1)
Explanation: NAPLEX Exam (1)
To receive senior management support, an information security NACE (2)

program should be aligned with the corporate business strategy.
CIP Level 1 (1)
Risk management is a requirement of an information security
program which should take into consideration the business CIP Level 2 (1)
strategy. Security governance is much broader than just

regulatory compliance. Best practice is an operational concern NCCT (1)
and does not have a direct impact on a governance program. Medical Assistant (1)
Network Appliance (55)

57. Information security policy enforcement is the Cisco and NetApp FlexPod
responsibility of the: Certification (4)
security steering committee.
chief information officer (CIO). Hybrid Cloud Implementation
chief information security officer (CISO). Engineer (1)
chief compliance officer (CCO).
NetApp Certified Support
Question was not answered Engineer (NCSE) (5)
Network Appliance NCDA

Explanation: Certification (4)
Information security policy enforcement is the responsibility of Network Appliance NCDA

the chief information security officer (CISO), first and foremost. ONTAP Certification (8)
The board of directors and executive management should
Network Appliance NCHC
ensure that a security policy is in line with corporate objectives.
Architect Certification (1)
The chief information officer (CIO) and the chief compliance
officer (CCO) are involved in the enforcement of the policy but Network Appliance NCHC
are not directly responsible for it. Certification (2)
Network Appliance NCIE

Certification (5)
58. A good privacy statement should include:
notification of liability on accuracy of information. Network Appliance NCIE-DP
notification that information will be encrypted. Specialist Certification (2)
what the company will do with information it collects.
a description of the information classification process. Network Appliance NCIE-SAN
(3)
Network Appliance NCIE-SAN
Specialist Certification (8)
Explanation:
Network Appliance NCIE-
Most privacy laws and regulations require disclosure on how SAN, E-Series Certification (1)
information will be used. Choice A is incorrect because that
information should be located in the web site's disclaimer. Network Appliance NCSA-HC
Choice B is incorrect because, although encryption may be Certification (6)
applied, this is not generally disclosed. Choice D is incorrect
Network Appliance NCSIE
because information classification would be contained in a
ONTAP Certification (4)
separate policy.
NI (1)
Clad Certification (1)

59. Which of the following would be MOST effective in
successfully implementing restrictive password policies? Nokia (20)
Regular password audits
Network Routing
Single sign-on system
Specialist(NRS) (2)
Security awareness program
Penalties for noncompliance Nokia Bell Labs 5G
Question was not answered Certification – Associate (2)
Nokia Certification (3)

Explanation:
Nokia Cloud Packet Core
Expert (1)
To be successful in implementing restrictive password policies, it
is necessary to obtain the buy-in of the end users. The best way Nokia Network Routing
to accomplish this is through a security awareness program. Specialist II (NRS II) (1)
Regular password audits and penalties for noncompliance
would not be as effective on their own; people would go around Nokia Optical Design Expert
them unless forced by the system. Single sign-on is a (1)
technology solution that would enforce password complexity but
Nokia Service Routing
would not promote user compliance. For the effort to be more
Architect (2)
effective, user buy-in is important.
Nokia Service Routing
Architect (SRA) (1)
60. When designing an information security quarterly report
to management, the MOST important element to be Nuage Networks (3)
considered should be the:
NN-VCP written (3)
information security metrics.
knowledge required to analyze each issue. Nutanix (12)
linkage to business area objectives.
baseline against which metrics are evaluated. NCP-MCI (3)
Question was not answered Nutanix Certified Advanced

Professional (NCAP) (1)
Explanation: Nutanix Certified Associate

(NCA) (1)
The link to business objectives is the most important clement
that would be considered by management. Information security Nutanix Certified Professional
metrics should be put in the context of impact to management (NCP) (1)
objectives. Although important, the security knowledge required
Nutanix SE Academy (5)
would not be the first element to be considered. Baselining

Nutanix Technical
against the information security metrics will be considered later
Certifications (1)
in the process.
Okta (2)
61. An information security manager at a global Level 1: Professional (1)

organization has to ensure that the local information
Level 2: Administrator (1)
security program will initially ensure compliance with the:
corporate data privacy policy.
OMG (1)
data privacy policy where data are collected.
data privacy policy of the headquarters' country. OMG Certification (1)
data privacy directive applicable globally.
Question was not answered Palo Alto Networks (23)
Certified Cybersecurity
Associate (1)
Explanation:
Palo alto Networks ACE
As a subsidiary, the local entity will have to comply with the local Certification (1)
law for data collected in the country. Senior management will be
accountable for this legal compliance. The policy, being internal, Palo Alto Networks
Certifications (12)
cannot supersede the local law. Additionally, with local
regulations differing from the country in which the organization
PCCSE Certifications (1)
is headquartered, it is improbable that a group wide policy will
address all the local legal requirements. In case of data PCNSE (3)
collected locally (and potentially transferred to a country with a
different data privacy regulation), the local law applies, not the PCNSE Certifications (2)
law applicable to the head office. The data privacy laws are
PSE-DataCenter Professional
country-specific.
(1)
PSE-Platform Professional (2)

62. A new regulation for safeguarding information
processed by a specific type of transaction has come to the PCI (1)
attention of an information security officer. The officer PCI certification (1)
should FIRST:
meet with stakeholders to decide how to comply. Pegasystems (26)
analyze key risks in the compliance process.
Certified System Architect (1)
assess whether existing controls meet the regulation.
update the existing security/privacy policy. CLSA (2)
CPBA (2)
Explanation: CRSA (1)
If the organization is in compliance through existing controls, the CSA Certification (1)
need to perform other work related to the regulation is not a

CSSA (2)
priority. The other choices are appropriate and important;
however, they are actions that are subsequent and will depend Decisioning Consultant (1)
on whether there is an existing control gap.
Marketing Consultant (1)
PCDC (2)
63. The PRIMARY objective of a security steering group is
to: PCDS (2)
ensure information security covers all business
functions. PCRSA (1)
ensure information security aligns with business goals.

PCSSA Certification (3)
raise information security awareness across the
organization.
Pega Certified System
implement all decisions on security management across the
organization. Architect (PCSA) 8 (6)

Peoplecert (1)
Peoplecert Certification (1)

Explanation:
PMI (12)
The security steering group comprises senior management of
key business functions and has the primary objective to align CAPM Certification (1)
the security strategy with the business direction. Option A is

PMI Certification (8)
incorrect because all business areas may not be required to be
covered by information security; but, if they do, the main PMI-ACP (1)
purpose of the steering committee would be alignment more so
than coverage. While raising awareness is important, this goal PMP Certification (2)
would not be carried out by the committee itself. The steering
Portfolio Management
committee may delegate part of the decision making to the
Professional (1)
information security manager; however, if it retains this authority,
it is not the primary' goal.
Praxis (3)
Praxis Core Test (3)
64. Data owners must provide a safe and secure

PRIMA (5)
environment to ensure confidentiality, integrity and
availability of the transaction. This is an example of an PRM Certification (3)
information security:
PRM Designation (3)
baseline.
strategy.
procedure. PRMIA (2)

policy.
Question was not answered Pulse Secure (2)
Certified Technical Expert (2)
Explanation:
Python Institute (3)
A policy is a high-level statement of an organization's beliefs, PCAP (3)

goals, roles and objectives. Baselines assume a minimum
security level throughout an organization. The information QA (1)
security strategy aligns the information security program with MOVF Certification (1)
business objectives rather than making control statements. A
procedure is a step-bystep process of how policy and standards QlikView (2)
will be implemented.
Qlik Sense certification (2)
RedHat (3)
65. At what stage of the applications development process
should the security department initially become involved? RHCE Certification (1)
When requested RHCSA (2)

At testing
At programming
Riverbed (5)
At detail requirements
RCPE Network Performance
Management (NPM) (1)
RCPE-CP-WO (1)
Explanation:
RCSA-V (1)
Information security has to be integrated into the requirements
of the application's design. It should also be part of the RCSP-APM (1)
information security governance of the organization. The
application owner may not make a timely request for security Riverbed RCSP (1)
involvement. It is too late during systems testing, since the
Riverbed Certified (1)
requirements have already been agreed upon. Code reviews
are part of the final quality assurance process.
RSA (2)
RSA Certified Administrator

(1)
66. A security manager is preparing a report to obtain the
commitment of executive management to a security RSA NetWitness (1)
program. Inclusion of which of the following would be of
MOST value? Salesforce (4)
Examples of genuine incidents at similar organizations
CPQ Specialist (2)
Statement of generally accepted best practices

Associating realistic threats to corporate objectives Platform Developer II (1)
Analysis of current technological exposures
Salesforce Certified
Question was not answered Administrator (1)
SANS (1)
Explanation:
Certified Incident Handler (1)
Linking realistic threats to key business objectives will direct
executive attention to them. All other options are supportive but SAP (111)
not of as great a value as choice C when trying to obtain the
SAP Application Associate (2)
funds for a new program.
SAP BusinessObjects (2)
SAP Certified Application

67. The PRIMARY concern of an information security
Associate (64)
manager documenting a formal data retention policy would
be: SAP Certified Application
generally accepted industry best practices. Professional (2)
business requirements.
legislative and regulatory requirements. SAP Certified Application
storage availability. Specialist (3)
Question was not answered SAP Certified Associate (3)
SAP Certified Development

Explanation: Associate (8)
The primary concern will be to comply with legislation and SAP Certified Development
regulation but only if this is a genuine business requirement. Professional (1)
Best practices may be a useful guide but not a primary concern.
SAP Certified Development
Legislative and regulatory requirements are only relevant if
Specialist (1)
compliance is a business need. Storage is irrelevant since
whatever is needed must be provided SAP Certified Specialist (2)
SAP Certified Technology

Associate (12)
68. When personal information is transmitted across
networks, there MUST be adequate controls over: SAP Certified Technology
change management. Specialist (2)
privacy protection.
consent to data transfer. SAP Enterprise Resource
encryption devices. Planning (1)

SAP ERP (3)
SAP HANA (2)

Explanation:
SAP NetWeaver (2)
Privacy protection is necessary to ensure that the receiving
party has the appropriate level of protection of personal data. SAP Product Lifecycle
Change management primarily protects only the information, not Management (1)
the privacy of the individuals. Consent is one of the protections
that is frequently, but not always, required. Encryption is a SAS Institute (5)
method of achieving the actual control, but controls over the Programming Associate (1)
devices may not ensure adequate privacy protection and.
therefore, is a partial answer. SAS Foundation (1)
SAS Institute Systems

Certification (2)
69. An organization's information security processes are
currently defined as ad hoc. In seeking to improve their Statistical Business Analyst
performance level, the next step for the organization should (1)
be to:
ensure that security processes are consistent across the Scrum (3)
organization.
Scrum Certification (3)
enforce baseline security levels across the organization.
ensure that security processes are fully documented.
ScrumAlliance (1)
implement monitoring of key performance indicators for
security processes. Scrum Master Certified
Question was not answered Certifications (1)
ServiceNow (17)
Explanation:
Certified Application
The organization first needs to move from ad hoc to repeatable Developer (1)
processes. The organization then needs to document the

Certified Implementation
processes and implement process monitoring and
Specialist (12)
measurement. Baselining security levels will not necessarily
assist in process improvement since baselining focuses CIS-Application Portfolio
primarily on control improvement. The organization needs to Management (1)
standardize processes both before documentation, and before
monitoring and measurement. CIS-Security Incident
Response (1)
CIS-Service Mapping (1)

70. Who in an organization has the responsibility for
classifying information? ServiceNow System
Administrator Certification (1)
Data custodian
Database administrator Six Sigma (3)

Information security officer
Green Belt Certification (1)
Data owner
Question was not answered White Belt Certification (1)
Yellow Belt Certification (1)

Explanation:
Smarter Balanced (1)
The data owner has full responsibility over data. The data
Smarter Assessments (1)
custodian is responsible for securing the information. The
database administrator carries out the technical administration.
SNIA (1)
The information security officer oversees the overall
classification management of the information. SNIA SCSP (1)
Snowflake (4)
71. What is the PRIMARY role of the information security SnowPro Core Certification
manager in the process of information classification within (4)
an organization?
Defining and ratifying the classification structure of SOA Certified Professional (4)
information assets
SOACP (4)
Deciding the classification levels applied to the
organization's information assets
Securing information assets in accordance with their SOFE (1)
classification
AFE Designation (1)
Checking if information assets have been classified
properly
Question was not answered Software Certifications (1)
Software exam (1)
Explanation:
Splunk (5)
Defining and ratifying the classification structure of information Splunk Core Certified
assets is the primary role of the information security manager in Consultant (1)
the process of information classification within the organization.
Splunk Core Certified Power
Choice B is incorrect because the final responsibility for
User (1)
deciding the classification levels rests with the data owners.
Choice C is incorrect because the job of securing information Splunk Enterprise Architect
assets is the responsibility of the data custodians. Choice D (1)
may be a role of an information security manager but is not the
key role in this context. Splunk Enterprise Certified
Admin (1)
Splunk Enterprise Security (1)
72. Logging is an example of which type of defense against SpringSource (1)

systems compromise?
SpringSource Certification
Containment Program (1)
Detection
Reaction
SUSE (1)
Recovery
SCA in SUSE Linux
Enterprise Server 15 (1)
Explanation: Symantec (12)
Symantec SCS (12)

Detection defenses include logging as well as monitoring,
measuring, auditing, detecting viruses and intrusion. Examples
Tableau (1)
of containment defenses are awareness, training and physical
security defenses. Examples of reaction defenses are incident Tableau Desktop Specialist (1)
response, policy and procedure change, and control

enhancement. Examples of recovery defenses are backups and Test Prep (5)
restorations, failover and remote sites, and business continuity EMS Certification (1)
plans and disaster recovery plans.
Interior Design (1)
Medical Tests Certification (2)

73. Which of the following is MOST important in developing
a security strategy? Pharmacy College (1)
Creating a positive business security environment
Understanding key business objectives The Linux Foundation (3)
Having a reporting line to senior management Kubernetes Security
Allocating sufficient resources to information security Specialist (2)
System Administration (1)
Explanation: The Open Group (9)
The Open Group Certification

Alignment with business strategy is of utmost importance.
(9)
Understanding business objectives is critical in determining the
security needs of the organization.
Tibco (1)
TIBCO BusinessWorks 6 (1)
74. Who is ultimately responsible for the organization's

information? UiPath (3)
Data custodian UiPath Certified Professional

Chief information security officer (CISO) – Developer Track (2)
Board of directors
Chief information officer (CIO) UiPath Certified Professional
– General Track (1)
USMLE Cert (1)

Explanation: USMLE certification (1)
The board of directors is ultimately responsible for the

VCE (1)
organization's information and is tasked with responding to
VCE-CIIE (1)
issues that affect its protection. The data custodian is
responsible for the maintenance and protection of data. This
role is usually filled by the IT department. The chief information VEEAM (4)
security officer (CISO) is responsible for security and carrying VMCE (4)
out senior management's directives. The chief information
officer (CIO) is responsible for information technology within the Veritas (17)
organization and is not ultimately responsible for the
Veritas Certified Professional
organization's information.
(VCP) (7)
Veritas Certified Specialist

75. Which of the following factors is a PRIMARY driver for (VCS) (10)
information security governance that does not require any
further justification? Vmware (105)
Alignment with industry best practices Master Specialist – VMware
Business continuity investment Cloud on AWS 2019 (3)
Business benefits
Regulatory compliance Master Specialist HCI 2020
(2)
VCA-DBT (2)
Explanation: VCA6-CMA (1)
Regulatory compliance can be a standalone driver for an VCA6-DCV (1)

information security governance measure. No further analysis
nor justification is required since the entity has no choice in the VCA6-DTM (1)
regulatory requirements. Buy-in from business managers must
VCA6-NV (1)
be obtained by the information security manager when an
information security governance measure is sought based on its VCAP-DCV Design 2021 (3)
alignment with industry best practices. Business continuity
investment needs to be justified by business impact analysis. VCAP-NV Deploy 2020 (1)
When an information security governance measure is sought
VCAP-NV Design 2020 (4)
based on qualitative business benefits, further analysis is
required to determine whether the benefits outweigh the cost of
the information security governance measure in question. VCAP6-DCV Design (1)
VCAP6.5-DCV Design (4)
76. A security manager meeting the requirements for the VCAP7-CMA Design (1)
international flow of personal data will need to ensure:
VCAP7-DTM Design (3)
a data processing agreement.
a data protection registration. VCP-CMA 2019 (3)
the agreement of the data subjects.
subject access procedures. VCP-CMA 2020 (4)
VCP-DCV 2019 (6)
VCP-DCV 2020 (4)

Explanation:
VCP-DTM 2018 (1)
Whenever personal data are transferred across national
boundaries, the awareness and agreement of the data subjects VCP-DTM 2019 (2)
are required. Choices A, B and D are supplementary data
protection requirements that are not key for international data VCP-DW (3)
transfer.
VCP-DW 2019 (3)
VCP-DW 2020 (3)

77. An information security manager mapping a job
VCP-NV (2)
description to types of data access is MOST likely to
adhere to which of the following information security VCP-NV 2019 (3)
principles?
Ethics VCP-NV 2020 (2)
Proportionality
VCP6-CMA (2)
Integration
Accountability VCP6-DCV (2)
VCP6-NV (1)
Explanation: VCP6.5-DCV (9)
VCP6.7-DCV (3)
Information security controls should be proportionate to the risks
of modification, denial of use or disclosure of the information. It VCP7-CMA (2)
is advisable to learn if the job description is apportioning more
data than are necessary for that position to execute the VCP7-DTM (3)
business rules (types of data access). Principles of ethics and
VCTA-DCV (1)
integration have the least to do with mapping job description to
types of data access. The principle of accountability would be VCTA-NV 2021 (1)
the second most adhered to principle since people with access VMware Carbon Black
to data may not always be accountable but may be required to EndPoint Protection 2021 (1)
perform an operation.
VMware Certified Master
Specialist – HCI 2021 (1)
78. Which of the following is the MOST important

VMware Certified Specialist –
prerequisite for establishing information security Cloud Foundation 2021 (2)
management within an organization?
Senior management commitment VMware Cloud on AWS –
Information security framework Software Defined Data Center
Information security organizational structure 2019 (1)
Information security policy
VMware IT Academy PSE
Question was not answered Exams (3)
VMware SD-WAN Design and

Explanation: Deploy 2021 (1)
Senior management commitment is necessary in order for each VMware SD-WAN

of the other elements to succeed. Without senior management Troubleshoot 2021 (1)
commitment, the other elements will likely be ignored within the
VMware Specialist – Cloud
organization.
Provider 2019 (1)
VMware Specialist – Cloud

79. What will have the HIGHEST impact on standard Provider 2021 (1)
information security governance models?
VMware Specialist – vRealize
Number of employees
Operations 2020 (1)
Distance between physical locations
Complexity of organizational structure VMware Specialist – vSAN
Organizational budget 2019 (5)
VMware vRealize Operations
2017 Specialist (2)
Explanation:
VMware vSAN 2017
Information security governance models are highly dependent Specialist (2)
on the overall organizational structure. Some of the elements

VMware Workspace ONE
that impact organizational structure are multiple missions and
Advanced Integration and
functions across the organization, leadership and lines of Design Specialist 2019 (1)
communication. Number of employees and distance between
physical locations have less impact on information security VMware Workspace ONE
governance models since well-defined process, technology and Unified Endpoint Management
people components intermingle to provide the proper Specialist 2019 (1)

governance. Organizational budget is not a major impact once
good governance models are in place; hence governance will WatchGuard (1)
help in effective management of the organization's budget.
Fireware Essentials (1)
WorldatWork (3)
80. In order to highlight to management, the importance of
Certified Compensation
integrating information security in the business processes,
Professional® | CCP® (3)
a newly hired information security officer should FIRST:
prepare a security budget.
Zend Technologies (1)
conduct a risk assessment.
develop an information security policy. Zend (1)
obtain benchmarking information.
Explanation:
Risk assessment, evaluation and impact analysis will be the

starting point for driving management's attention to information
security. All other choices will follow the risk assessment.
81. Temporarily deactivating some monitoring processes,

even if supported by an acceptance of operational risk, may
not be acceptable to the information security manager if:
it implies compliance risks.
short-term impact cannot be determined.
it violates industry security practices.
changes in the roles matrix cannot be detected.
Explanation:
Monitoring processes are also required to guarantee fulfillment

of laws and regulations of the organization and, therefore, the
information security manager will be obligated to comply with
the law. Choices B and C are evaluated as part of the
operational risk. Choice D is unlikely to be as critical a breach of
regulatory legislation. The acceptance of operational risks
overrides choices B, C and D.
82. An outcome of effective security governance is:

business dependency assessment
strategic alignment.
risk assessment.
planning.
Explanation:
Business dependency assessment is a process of determining

the dependency of a business on certain information resources.
It is not an outcome or a product of effective security
management. Strategic alignment is an outcome of effective
security governance. Where there is good governance, there is
likely to be strategic alignment. Risk assessment is not an
outcome of effective security governance; it is a process.
Planning comes at the beginning of effective security
governance, and is not an outcome but a process.
83. How would an information security manager balance

the potentially conflicting requirements of an international
organization's security standards and local regulation?
Give organization standards preference over local
regulations
Follow local regulations only
Make the organization aware of those standards where
local regulations causes conflicts
Negotiate a local version of the organization standards
Explanation:
Adherence to local regulations must always be the priority. Not

following local regulations can prove detrimental to the group
organization. Following local regulations only is incorrect since
there needs to be some recognition of organization
requirements. Making an organization aware of standards is a

sensible step, but is not a total solution. Negotiating a local
version of the organization standards is the most effective
compromise in this situation.
84. Who should drive the risk analysis for an organization?

Senior management
Security manager
Quality manager
Legal department
Explanation:
Although senior management should support and sponsor a risk

analysis, the know-how and the management of the project will
be with the security department. Quality management and the
legal department will contribute to the project.
85. The FIRST step in developing an information security

management program is to:
identify business risks that affect the organization.
clarify organizational purpose for creating the program.
assign responsibility for the program.
assess adequacy of controls to mitigate business risks.
Explanation:
In developing an information security management program, the

first step is to clarify the organization's purpose for creating the
program. This is a business decision based more on judgment
than on any specific quantitative measures. After clarifying the
purpose, the other choices are assigned and acted upon.
86. Which of the following is the MOST important to keep in
mind when assessing the value of information?

The potential financial loss
The cost of recreating the information
The cost of insurance coverage
Regulatory requirement
Explanation:
The potential for financial loss is always a key factor when

assessing the value of information. Choices B, C and D may be
contributors, but not the key factor.
87. What would a security manager PRIMARILY utilize when

proposing the implementation of a security solution?
Risk assessment report
Technical evaluation report
Business case
Budgetary requirements
Explanation:
The information security manager needs to prioritize the

controls based on risk management and the requirements of the
organization. The information security manager must look at the
costs of the various controls and compare them against the
benefit the organization will receive from the security solution.
The information security manager needs to have knowledge of
the development of business cases to illustrate the costs and
benefits of the various controls. All other choices are
supplemental.
88. To justify its ongoing security budget, which of the

following would be of MOST use to the information
security' department?
Security breach frequency
Annualized loss expectancy (ALE)

Cost-benefit analysis
Peer group comparison
Explanation:
Cost-benefit analysis is the legitimate way to justify budget. The

frequency of security breaches may assist the argument for
budget but is not the key tool; it does not address the impact.
Annualized loss expectancy (ALE) does not address the
potential benefit of security investment. Peer group comparison
would provide a good estimate for the necessary security
budget but it would not take into account the specific needs of
the organization.
89. Which of the following situations would MOST inhibit

the effective implementation of security governance?
The complexity of technology
Budgetary constraints
Conflicting business priorities
High-level sponsorship
Explanation:
The need for senior management involvement and support is a

key success factor for the implementation of appropriate
security governance. Complexity of technology, budgetary
constraints and conflicting business priorities are realities that
should be factored into the governance model of the
organization, and should not be regarded as inhibitors.
90. To achieve effective strategic alignment of security

initiatives, it is important that:
Steering committee leadership be selected by rotation.
Inputs be obtained and consensus achieved between
the major organizational units.
The business strategy be updated periodically.

Procedures and standards be approved by all departmental
heads.
Explanation:
It is important to achieve consensus on risks and controls, and

obtain inputs from various organizational entities since security
needs to be aligned to the needs of the organization. Rotation of
steering committee leadership does not help in achieving
strategic alignment. Updating business strategy does not lead to
strategic alignment of security initiatives. Procedures and
standards need not be approved by all departmental heads
91. What would be the MOST significant security risks

when using wireless local area network (LAN) technology?
Man-in-the-middle attack
Spoofing of data packets
Rogue access point
Session hijacking
Explanation:
A rogue access point masquerades as a legitimate access point

The risk is that legitimate users may connect through this
access point and have their traffic monitored. All other choices
are not dependent on the use of a wireless local area network
(LAN) technology.
92. When developing incident response procedures

involving servers hosting critical applications, which of the
following should be the FIRST to be notified?
Business management
Operations manager
Information security manager
System users
Explanation:
The escalation process in critical situations should involve the

information security manager as the first contact so that
appropriate escalation steps are invoked as necessary. Choices
A, B and D would be notified accordingly.
93. In implementing information security governance, the

information security manager is PRIMARILY responsible
for:
developing the security strategy.
reviewing the security strategy.
communicating the security strategy.
approving the security strategy
Explanation:
The information security manager is responsible for developing

a security strategy based on business objectives with the help of
business process owners. Reviewing the security strategy is the
responsibility of a steering committee. The information security
manager is not necessarily responsible for communicating or
approving the security strategy.
94. An information security strategy document that

includes specific links to an organization's business
activities is PRIMARILY an indicator of:
performance measurement.
integration.
alignment.
value delivery.
Explanation:
Strategic alignment of security with business objectives is a key

indicator of performance measurement. In guiding a security
program, a meaningful performance measurement will also rely
on an understanding of business objectives, which will be an
outcome of alignment. Business linkages do not by themselves
indicate integration or value delivery. While alignment is an
important precondition, it is not as important an indicator.
95. When an organization is setting up a relationship with a

third-party IT service provider, which of the following is one
of the MOST important topics to include in the contract
from a security standpoint?
Compliance with international security standards.
Use of a two-factor authentication system.
Existence of an alternate hot site in case of business
disruption.
Compliance with the organization's information security
requirements.
Explanation:
Prom a security standpoint, compliance with the organization's

information security requirements is one of the most important
topics that should be included in the contract with third-party
service provider. The scope of implemented controls in any ISO
27001-compliant organization depends on the security
requirements established by each organization. Requiring
compliance only with this security standard does not guarantee
that a service provider complies with the organization's security
requirements. The requirement to use a specific kind of control
methodology is not usually stated in the contract with third- party
service providers.
96. To justify the need to invest in a forensic analysis tool,

an information security manager should FIRST:
review the functionalities and implementation

requirements of the solution.
review comparison reports of tool implementation in peer
companies.
provide examples of situations where such a tool would be
useful.
substantiate the investment in meeting organizational
needs.
Explanation:
Any investment must be reviewed to determine whether it is

cost effective and supports the organizational strategy. It is
important to review the features and functionalities provided by
such a tool, and to provide examples of situations where the tool
would be useful, but that comes after substantiating the
investment and return on investment to the organization.
97. The MOST useful way to describe the objectives in the

information security strategy is through:
attributes and characteristics of the 'desired state."
overall control objectives of the security program.
mapping the IT systems to key business processes.
calculation of annual loss expectations.
Explanation:
Security strategy will typically cover a wide variety of issues,

processes, technologies and outcomes that can best be
described by a set of characteristics and attributes that are
desired. Control objectives are developed after strategy and
policy development. Mapping IT systems to key business
processes does not address strategy issues. Calculation of
annual loss expectations would not describe the objectives in
the information security strategy.
98. In order to highlight to management, the importance of

network security, the security manager should FIRST:
develop a security architecture.
install a network intrusion detection system (NIDS) and
prepare a list of attacks.
develop a network security policy.
conduct a risk assessment.
Explanation:
A risk assessment would be most helpful to management in

understanding at a very high level the threats, probabilities and
existing controls. Developing a security architecture, installing a
network intrusion detection system (NIDS) and preparing a list
of attacks on the network and developing a network security
policy would not be as effective in highlighting the importance to
management and would follow only after performing a risk
assessment.
99. When developing an information security program, what

is the MOST useful source of information for determining
available resources?
Proficiency test
Job descriptions
Organization chart
Skills inventory
Explanation:
A skills inventory would help identify- the available resources,

any gaps and the training requirements for developing
resources. Proficiency testing is useful but only with regard to
specific technical skills. Job descriptions would not be as useful
since they may be out of date or not sufficiently detailed. An
organization chart would not provide the details necessary to
determine the resources required for this activity.
100. The MOST important characteristic of good security

policies is that they:
state expectations of IT management.
state only one general security mandate.
are aligned with organizational goals.
govern the creation of procedures and guidelines.
Explanation:
The most important characteristic of good security policies is

that they be aligned with organizational goals. Failure to align
policies and goals significantly reduces the value provided by
the policies. Stating expectations of IT management omits
addressing overall organizational goals and objectives. Stating
only one general security mandate is the next best option since
policies should be clear; otherwise, policies may be confusing
and difficult to understand. Governing the creation of
procedures and guidelines is most relevant to information
security standards.
« COBIT® 5 Foundation
Updated COBIT 5 Exam
Dumps
»
Updated CISA Certified
Information Systems
Auditor Certification
Dumps
Tags: CISM, CISM dumps, CISM dumps questions, CISM

exam dumps, CISM exam questions, CISM free dumps
Related Posts
Updated CISA Certified in COBIT® 5

Certified Risk and Foundation
Information Information Updated
Systems Systems COBIT 5
Auditor Control Exam Dumps
Certification CRISC Exam

Dumps Dumps
Updated
About The Author

Dumps
From our dumpsbase platform you could
search what exams you need then test or
practice online by yourself. Download the PDF
file if you need directly. Any other questions
you can mail support@dumpsbase.com
Add a Comment
Comment:
Name:
Email Address:
ERROR for site owner:

Invalid domain for site key reCAPTCHA
Privacy - Terms
Add Comment
© 2021 Valid IT Exam Dumps Questions Back to Top ↑

CISM Practice Exam Dumps Can Help You Prepare Exam Well - Valid IT Exam Dumps Questions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISM Practice Exam Dumps Can Help You Prepare Exam Well - Valid IT Exam Dumps Questions

Uploaded by

Copyright:

Available Formats

CISM Practice Exam Dumps Can Help You Prepare Exam Well – Valid IT Exam Dumps Questions 23.10.

JUNE 19, 2020

CISM Practice Exam

Here, you can read CISM free Pass Cisco Collaboration

Congratulations - you have completed this Updated CS0-002 Dumps

Your answers are shown below: Passing October 23, 2021

Good C_TADM70_21 Dumps

developing an information security plan? for SAP NetWeaver 7.52 Exam

Using HPE OneView

Senior management seeks to understand the business

Chartered Wealth Manager

Drupal 8 Certification (1)

projects would be an indication of the existence of a good Registered Health Information

AICPA Exam (1)

5. Information security governance is PRIMARILY driven by:

Alibaba Cloud Certification

Protection of identifiable personal data is the major focus of

privacy only if it violates regulator)' provisions. Identity theft is a DevOps-Engineer (1)

7. Investments in information security technologies should Android certified Application

CBM Certifications (1)

Jira Project Administrator (1)

9. Which of the following is characteristic of centralized

More expensive to administer MSPF Certification (1)

Autodesk Maya (1)

Automation Anywhere (1)

10. Successful implementation of information security APDS (3)

Explanation: Axis (1)

Axis Certified Professional (1)

Information security manager PRINCE2 Foundation (1)

RCDD Certification (2)

Professional Developer (1)

Privacy policies must contain notifications and opt-out

Level 3 CFA Exam (1)

13. The cost of implementing a security control should not

Additional Online Exams for

Advanced Routing and

15. Minimum standards for securing the technical CCDP (10)

CCIE Data Center (5)

CCNA Collaboration (9)

CCNP Wireless (13)

Cisco Business Value

Question was not answered Cisco Collaboration SaaS

Explanation: Cisco Collaboration Servers

assessment of disaster recovery plans and monitoring of Cisco Meraki Solutions

Explanation: ENUAE (2)

A steering committee should be in place to approve all security Express Collaboration

20. Which of the following requirements would have the

Explanation: CCP-N (4)

Information security priorities may, at times, override technical CCP-V (5)

Question was not answered

CMT Program (1)

CompTIA Advanced Security

Information security architecture should always be properly CompTIA IT Fundamentals (2)

CompTIA Project+ (5)

Policies define security goals and expectations for an CPA (1)

CWAP (Wi-Fi Analysis) (1)

CWSA Certification (1)

eliminate business risks. Investments in security technologies CyberArk (7)

CyberArk Defender (2)

Backup Recovery (EMCBA)

Cloud Architect (EMCCA) (6)

Question was not answered DECA-PowerEdge (3)

example, data stored in nonstandard formats that can only be