100% Real Isaca CISM Certification Exams Questions & Answers, Accurate & Verified By IT Experts
Instant Download, Free Fast Updates, 99.6% Pass Rate.
Certified Information Security Manager
Includes 1016 Questions & Answers
Download Free CISM Practice Test Questions VCE Files
TitleCertified Information Security Manager
Isaca CISM Certification Exam Dumps & Practice Test Questions
Prepare with top-notch Isaca CISM certification practice test questions and answers, vce exam dumps, study guide, video training course from ExamCollection. All Isaca CISM certification exam dumps & practice test questions and answers are uploaded by users who have passed the exam themselves and formatted them into vce file format.
Now, some of the metrics can also be obtained through a security audit, which is outside the technical aspect. Now, in a security audit, we can measure some of the defenses, but we have to remember that even though that involves people doing the testing, unless you test all potential threats, it's still not really possible to predict the whole security of an organization. Now, it's also true that some companies or organisations are attacked more often than others. Financial institutions may be attacked more than a company that creates and sells food for your dog. And I'm not saying anything bad about the company that's creating the dog food. What I'm saying is people are probably going after money, monetary gain, greed, or maybe military or government agencies for espionage or other types of outside attacks. And keeping that in mind, then what are we looking at? We're saying, okay, if I have the dog food company and I can say, "Look, I've had like two attempts all year," I must have really good security because the NASA where they keep all the spaceship secrets has two attacks every few minutes. Okay, does that really mean that one's security is better than the other? So you understand what I'm saying—that it's hard to measure the defences unless you look at all the potential attacks and don't try to just kind of base it on metrics that show you how many attacks you might have had. Now, it is true that there could be a correlation between good security and relatively few incidences that cause loss. But remember, it's not a given. That's back to where security audits are very useful because we can look at it from the perspective of even the psychology of why somebody would attack. What's their motivation?
Some of the components of your effective security metrics should include things like results-oriented metric analysis, having quantifiable performance metrics, such as the return on investment or annualised loss that we might see, or even the value added resource. You should have practical security policies and procedures. That's another component of your effective security. and, of course, supporting all of its strong upper-level management support. Now, if you combine all of these types of ideas together, you can make a well-governed security program.
Now, implementing security does require a lot of work. Therefore, there should be some form of metric in place that you can use to monitor the implementation of the results or the implementation of security. Things are measured using key performance indicators, or KPIs. It's a key performance indicator. These are useful to be able to provide information about what achievements we have made with a process or service, whether or not we need those goals, as well as determining when milestones are there and if we've met our objectives. It's kind of a part of project management. So the project is the implementation of certain security measures. We have to have ways to look to see if, during the process of implementation, we're meeting our goals, meeting our timelines, meeting our budget constraints, and meeting the hopes of what we're getting for this countermeasure or whatever it is we're implementing as far as security. And of course, at certain milestones, we can stop, look, and see, "Hey, did we hit these objectives?" Whether the milestones are based on time or on certain points in the implementation process, it's useful to let us know how well we've been doing and whether we are on track to finish in the way we expect.
The strategic alignment of your information security with your organisational objectives is one of your desired goals. Remember, the organisational objectives are our reference point; we need to keep the company doing what makes it profitable. Now, any other gauge that you might use could include things like best practises It could be overkill, because again, we're trying to make sure we get to certain organisational objectives, or it might be inadequate or even misdirected, going in an area that we don't need to worry about for security. So again, the goal is to say, "Okay, I read a white paper that said this is how we should set up a layer of defence and put in this and this and this, control this, countermeasure this configuration," because that was a best practise for a company that may not be doing the same kind of business as you or anything related to you. That solution for your specific organisational objectives may be insufficient, as we previously stated, or it may be far too expensive. All right. in an unrelated security example. But one that talks about being in line with your organisational objectives: years ago, I was assisting in the completion of a study on classification compensation outside the arena, but my focus was on the IT department, which really consisted of three or four people for the small city government, and the main person they had there had retired. hired from a large corporation. They had spent their entire lives working in mainframes, and the city suggested that they update their computer systems, and his suggestion was to buy a mainframe computer, which cost around a quarter million dollars back then, and the goal was that that's what he knew how to use, and the reason for it was to be able to manage the budgets, payrolls, and other such things for the 120 city employees. not 120,000 of them. 120—something I could have done with my laptop or my iPad running a spreadsheet program. All right. There may have been best practises in the organisation from which that man came, but they were not necessarily the best practises for that solution. It was certainly overkill; even worse, his plan was to retire again in another year or two, and now we're talking about a small community with this large mainframe and potentially not the human resources available in that location to have anybody else be able to run that particular system all right. So that's a little unrelated to security, but it's just one that pops into my mind about: what are the organisational objectives? Certainly, the objectives were met in terms of computing power, but not necessarily in terms of return on investment or price tag.
Now as we talk about strategic alignment, the best indicator of alignment could be things like having security programmes that help enable specific business activities. Again, that's where maybe we now want to have eCommerce, a web presence, and we need to have a programme that helps protect us from that new method by which people can connect to our networks. a security organisation that responds to your business needs rather than creating its own little silo and claiming to follow Microsoft best practices, not that there's anything wrong with that. Again, best practise is kind of generic. Every company is different. Microsoft realises that as well. That is why their operating system has so much flexibility in terms of how it can be used or useful. The security objectives are understood by everyone involved. I think that's a big part of this. How do I know that I'm really in line with the objectives of the business if I'm kind of moving in my own direction and nobody knows what I'm doing? Your security programmes should also show that they are mapped to the organization's objectives. Again showing that our goal is the business needs.
ExamCollection provides the complete prep materials in vce files format which include Isaca CISM certification exam dumps, practice test questions and answers, video training course and study guide which help the exam candidates to pass the exams quickly. Fast updates to Isaca CISM certification exam dumps, practice test questions and accurate answers vce verified by industry experts are taken from the latest pool of questions.
Isaca CISM Video Courses
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from firstname.lastname@example.org and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.