BANK SOAL GRATIS CONTOH SOAL LATIHAN UJIAN CISM (Certified Information Security Manager)

MENGENAL UJIAN CISM

ISACA CISM (Certified Information Security Manager) adalah sertifikasi profesional yang ditawarkan oleh ISACA (Information Systems Audit and Control Association). Sertifikasi ini dirancang untuk manajer dan profesional keamanan informasi yang ingin menunjukkan keahlian dalam pengelolaan, desain, dan penilaian keamanan informasi suatu organisasi. Berikut adalah detail mengenai ISACA CISM:



Materi Ujian CISM

Ujian CISM mencakup empat domain utama:

  1. Governance of Information Security: Fokus pada kebijakan dan strategi keamanan informasi.
  2. Risk Management and Compliance: Pengelolaan risiko dan kepatuhan dengan peraturan.
  3. Information Security Program Development and Management: Pengembangan dan pengelolaan program keamanan informasi.
  4. Information Security Incident Management: Manajemen insiden keamanan informasi.

Jumlah Soal, Biaya Ujian, dan Cara Mendaftar

  • Jumlah Soal: Ujian CISM terdiri dari 150 pertanyaan pilihan ganda.
  • Biaya Ujian: Biaya ujian bervariasi tergantung pada status keanggotaan di ISACA dan lokasi, biasanya berkisar antara $575 hingga $760.
  • Cara Mendaftar: Pendaftaran dilakukan melalui situs web ISACA. Calon peserta ujian perlu membuat akun, memilih lokasi dan tanggal ujian, dan membayar biaya yang ditentukan.

Tips Lulus Ujian

  1. Pahami Materi: Konsentrasi pada keempat domain utama ujian.
  2. Latihan Soal: Gunakan latihan soal untuk memahami format dan jenis pertanyaan ujian.
  3. Rutin Belajar: Buat jadwal belajar yang teratur dan konsisten.
  4. Ikuti Kelas Persiapan: Bergabung dengan kelas persiapan dapat membantu memahami konsep yang sulit dan menyediakan bimbingan terstruktur.

Waktu Ideal untuk Belajar

  • Waktu ideal untuk belajar bervariasi, tetapi biasanya berkisar antara 100-150 jam belajar selama beberapa bulan.

Belajar Mandiri vs. Training Center

  • Beberapa individu mungkin memilih belajar mandiri jika mereka sudah memiliki pengalaman di bidang terkait.
  • Namun, mengikuti pelatihan bersama trainer bersertifikasi dan berpengalaman seperti Bapak Hery Purnama dapat memberikan banyak keuntungan. Trainer yang berpengalaman dapat menyediakan wawasan praktis, teknik belajar yang efisien, dan panduan mendalam mengenai materi ujian.

Pentingnya Pelatihan Bersertifikasi

  • Pelatihan bersama trainer bersertifikasi seperti Bapak Hery Purnama memberikan panduan terstruktur, yang sangat berguna bagi mereka yang baru di bidang ini.
  • Dengan pengalaman lebih dari 20 tahun sebagai trainer dan IT project manager, Bapak Hery Purnama mampu menyediakan konteks praktis dan aplikasi nyata dari materi yang diajarkan.

Secara keseluruhan, CISM adalah sertifikasi yang diakui secara global dan dapat memberikan nilai tambah besar bagi karir di bidang manajemen keamanan informasi.

 

CONTOH SOAL GRATIS UJIAN CISM


1. Which of the following best describes information security governance?

      Information security policies.

      Information security policies along with audits of those policies.

      Management’s control of information security processes.

      Benchmarks of metrics as compared to similar organizations.


2. What is the best method for ensuring that an organization’s security program achieves adequate business alignment?

      Find and read the organization’s articles of incorporation.

      Understand the organization’s vision, mission statement, and objectives.

      Study the organization’s chart of management reporting (the “org chart”).

      Study the organization’s financial chart of accounts.


3. Robert has located his organization’s mission statement and a list of strategic objectives. What steps should Robert take to ensure that the information security program aligns with the business?

      Discuss strategic objectives with business leaders to understand better what they want to accomplish and what steps are being taken to achieve them.

      Develop a list of activities that will support the organization’s strategic objectives, and determine the cost of each.

      Select those controls from the organization’s control framework that align to each objective, and then ensure that those controls are effective.

      Select the policies from the organization’s information security policy that are relevant to each objective, and ensure that those policies are current.


4. Michael wants to improve the risk management process in his organization by creating guidelines that will help management understand when certain risks should be accepted and when certain risks should be mitigated. The policy that Michael needs to create is known as what?

      Security policy

      Control framework

      Risk appetite statement

      Control testing procedure


5. In a risk management process, who is the best person(s) to make a risk treatment decision?

      Chief risk officer (CRO)

      Chief information officer (CIO)

      Process owner who is associated with the risk

      Chief information security officer (CISO)


6. The ultimate responsibility for an organization’s cybersecurity program lies with whom?

      The board of directors

      The chief executive officer (CEO)

      The chief information officer (CIO)

      The chief information security officer (CISO)


7. In a U.S. public company, a CISO will generally report the state of the organization’s cybersecurity program to:

      The Treadway Commission

      Independent auditors

      The U.S. Securities and Exchange Commission

      The audit committee of the board of directors


8. A new CISO in an organization is building its cybersecurity program from the ground up. To ensure collaboration among business leaders and department heads in the organization, the CISO should form and manage which of the following?

      A risk committee of the board of directors

      A cybersecurity steering committee

      An audit committee of the board of directors

      Business-aligned security policy


9. Who is the best person or group to make cyber- risk treatment decisions?

      The chief information security officer (CISO)

      The audit committee of the board of directors

      The cybersecurity steering committee

      The chief risk officer (CRO)


10. Which is the best party to conduct access reviews?

      Users’ managers

      Information security manager

      IT service desk

      Department head


11. Which is the best party to make decisions about the purpose and function of business applications?

      Business department head

      IT business analyst

      Application developer

      End user


12. Which of the following is the best definition of custodial responsibility?

      Custodian protects assets based on customer’s defined interests

      Custodian protects assets based on its own defined interests

      Custodian makes decisions based on its own defined interests

      Custodian makes decisions based on customer’s defined interests


13. What is the primary risk of IT acting as custodian for a business owner?

      IT may not have enough interest to provide quality care for business applications.

      IT may not have sufficient staffing to care for business applications properly.

      IT may have insufficient knowledge of business operations to make good decisions.

      Business departments might not give IT sufficient access to manage applications properly.


14. An organization needs to hire an executive who will build a management program that will consider threats and vulnerabilities and determine controls needed to protect systems and work centers. What is the best job title for this position?

      CSO

      CRO

      CISO

      CIRO


15. The Big Data Company is adjusting several position titles in its IT department to reflect industry standards. Included in consideration are two individuals: The first is responsible for the overall relationships and data flows among its internal and external information systems. The second is responsible for the overall health and management of systems containing information. Which two job titles are most appropriate for these two roles?

      Systems architect and database administrator

      Data architect and data scientist

      Data scientist and database administrator

      Data architect and database administrator


16. What is the primary distinction between a network engineer and a telecom engineer?

      A network engineer is primarily involved with networks and internal network media, while a telecom engineer is primarily involved with networks and external (carrier) network media.

      A network engineer is primarily involved with networks and external (carrier) network media, while a telecom engineer is primarily involved with networks and internal network media.

      A network engineer is primarily involved with layer 3 protocols and above, while a telecom engineer is primarily involved with layer 1 and layer 2 protocols.

      There is no distinction, as both are involved in all aspects of an organization’s networks.


17. An organization that is a U.S. public company is redesigning its access management and access review controls. What is the best role for internal audit in this redesign effort?

      Develop procedures

      Design controls

      Provide feedback on control design

      Develop controls and procedures


18. A security operations manager is proposing that engineers who design and manage information systems play a role in monitoring those systems. Is design and management compatible with monitoring? Why or why not?

      Personnel who design and manage systems should not perform a monitoring role because this is a conflict of interest.

      Personnel who design and manage systems will be more familiar with the reasons and steps to take when alerts are generated.

      Personnel who design and manage systems will not be familiar with response procedures when alerts are generated.

      Personnel who design and manage systems are not permitted access to production environments and should not perform monitoring.


19. What is the purpose of metrics in an information security program?

      To measure the performance and effectiveness of security controls

      To measure the likelihood of an attack on the organization

      To predict the likelihood of an attack on an organization

      To predict the method of an attack on an organization


20. Which security metric is best considered a leading indicator of an attack?

      Number of firewall rules triggered

      Number of security awareness training sessions completed

      Percentage of systems scanned

      Mean time to apply security patches





Posting Komentar

0 Komentar