MENGENAL UJIAN CISM
ISACA CISM (Certified Information Security Manager) adalah sertifikasi profesional yang ditawarkan oleh ISACA (Information Systems Audit and Control Association). Sertifikasi ini dirancang untuk manajer dan profesional keamanan informasi yang ingin menunjukkan keahlian dalam pengelolaan, desain, dan penilaian keamanan informasi suatu organisasi. Berikut adalah detail mengenai ISACA CISM:
Materi Ujian CISM
Ujian
CISM mencakup empat domain utama:
- Governance of Information
Security: Fokus pada kebijakan dan strategi keamanan informasi.
- Risk Management and
Compliance: Pengelolaan risiko dan kepatuhan dengan peraturan.
- Information Security Program
Development and Management: Pengembangan dan pengelolaan
program keamanan informasi.
- Information Security Incident
Management: Manajemen insiden keamanan informasi.
Jumlah Soal, Biaya Ujian, dan Cara
Mendaftar
- Jumlah Soal: Ujian CISM
terdiri dari 150 pertanyaan pilihan ganda.
- Biaya Ujian: Biaya ujian
bervariasi tergantung pada status keanggotaan di ISACA dan lokasi,
biasanya berkisar antara $575 hingga $760.
- Cara Mendaftar: Pendaftaran
dilakukan melalui situs web ISACA. Calon peserta ujian perlu membuat akun,
memilih lokasi dan tanggal ujian, dan membayar biaya yang ditentukan.
Tips Lulus Ujian
- Pahami Materi: Konsentrasi
pada keempat domain utama ujian.
- Latihan Soal: Gunakan
latihan soal untuk memahami format dan jenis pertanyaan ujian.
- Rutin Belajar: Buat jadwal
belajar yang teratur dan konsisten.
- Ikuti Kelas Persiapan: Bergabung
dengan kelas persiapan dapat membantu memahami konsep yang sulit dan
menyediakan bimbingan terstruktur.
Waktu Ideal untuk Belajar
- Waktu ideal untuk belajar
bervariasi, tetapi biasanya berkisar antara 100-150 jam belajar selama
beberapa bulan.
Belajar Mandiri vs. Training Center
- Beberapa individu mungkin memilih
belajar mandiri jika mereka sudah memiliki pengalaman di bidang terkait.
- Namun, mengikuti pelatihan
bersama trainer bersertifikasi dan berpengalaman seperti Bapak Hery
Purnama dapat memberikan banyak keuntungan. Trainer yang berpengalaman
dapat menyediakan wawasan praktis, teknik belajar yang efisien, dan
panduan mendalam mengenai materi ujian.
Pentingnya Pelatihan Bersertifikasi
- Pelatihan bersama trainer
bersertifikasi seperti Bapak Hery Purnama memberikan panduan terstruktur,
yang sangat berguna bagi mereka yang baru di bidang ini.
- Dengan pengalaman lebih dari 20
tahun sebagai trainer dan IT project manager, Bapak Hery Purnama mampu
menyediakan konteks praktis dan aplikasi nyata dari materi yang diajarkan.
Secara keseluruhan, CISM
adalah sertifikasi yang diakui secara global dan dapat memberikan nilai tambah
besar bagi karir di bidang manajemen keamanan informasi.
CONTOH SOAL GRATIS UJIAN CISM
1. Which of the following best describes information security governance?
⚪ Information security policies.
⚪ Information security policies along with audits of those policies.
⚫ Management’s control of information security processes.
⚪ Benchmarks of metrics as compared to similar organizations.
2. What is the best method for ensuring that an organization’s security program achieves adequate business alignment?
⚪ Find and read the organization’s articles of incorporation.
⚫ Understand the organization’s vision, mission statement, and objectives.
⚪ Study the organization’s chart of management reporting (the “org chart”).
⚪ Study the organization’s financial chart of accounts.
3. Robert has located his organization’s mission statement and a list of strategic objectives. What steps should Robert take to ensure that the information security program aligns with the business?
⚫ Discuss strategic objectives with business leaders to understand better what they want to accomplish and what steps are being taken to achieve them.
⚪ Develop a list of activities that will support the organization’s strategic objectives, and determine the cost of each.
⚪ Select those controls from the organization’s control framework that align to each objective, and then ensure that those controls are effective.
⚪ Select the policies from the organization’s information security policy that are relevant to each objective, and ensure that those policies are current.
4. Michael wants to improve the risk management process in his organization by creating guidelines that will help management understand when certain risks should be accepted and when certain risks should be mitigated. The policy that Michael needs to create is known as what?
⚪ Security policy
⚪ Control framework
⚫ Risk appetite statement
⚪ Control testing procedure
5. In a risk management process, who is the best person(s) to make a risk treatment decision?
⚪ Chief risk officer (CRO)
⚪ Chief information officer (CIO)
⚫ Process owner who is associated with the risk
⚪ Chief information security officer (CISO)
6. The ultimate responsibility for an organization’s cybersecurity program lies with whom?
⚫ The board of directors
⚪ The chief executive officer (CEO)
⚪ The chief information officer (CIO)
⚪ The chief information security officer (CISO)
7. In a U.S. public company, a CISO will generally report the state of the organization’s cybersecurity program to:
⚪ The Treadway Commission
⚪ Independent auditors
⚪ The U.S. Securities and Exchange Commission
⚫ The audit committee of the board of directors
8. A new CISO in an organization is building its cybersecurity program from the ground up. To ensure collaboration among business leaders and department heads in the organization, the CISO should form and manage which of the following?
⚪ A risk committee of the board of directors
⚫ A cybersecurity steering committee
⚪ An audit committee of the board of directors
⚪ Business-aligned security policy
9. Who is the best person or group to make cyber- risk treatment decisions?
⚪ The chief information security officer (CISO)
⚪ The audit committee of the board of directors
⚫ The cybersecurity steering committee
⚪ The chief risk officer (CRO)
10. Which is the best party to conduct access reviews?
⚪ Users’ managers
⚪ Information security manager
⚪ IT service desk
⚫ Department head
11. Which is the best party to make decisions about the purpose and function of business applications?
⚫ Business department head
⚪ IT business analyst
⚪ Application developer
⚪ End user
12. Which of the following is the best definition of custodial responsibility?
⚪ Custodian protects assets based on customer’s defined interests
⚪ Custodian protects assets based on its own defined interests
⚪ Custodian makes decisions based on its own defined interests
⚫ Custodian makes decisions based on customer’s defined interests
13. What is the primary risk of IT acting as custodian for a business owner?
⚪ IT may not have enough interest to provide quality care for business applications.
⚪ IT may not have sufficient staffing to care for business applications properly.
⚫ IT may have insufficient knowledge of business operations to make good decisions.
⚪ Business departments might not give IT sufficient access to manage applications properly.
14. An organization needs to hire an executive who will build a management program that will consider threats and vulnerabilities and determine controls needed to protect systems and work centers. What is the best job title for this position?
⚪ CSO
⚫ CRO
⚪ CISO
⚪ CIRO
15. The Big Data Company is adjusting several position titles in its IT department to reflect industry standards. Included in consideration are two individuals: The first is responsible for the overall relationships and data flows among its internal and external information systems. The second is responsible for the overall health and management of systems containing information. Which two job titles are most appropriate for these two roles?
⚪ Systems architect and database administrator
⚪ Data architect and data scientist
⚪ Data scientist and database administrator
⚫ Data architect and database administrator
16. What is the primary distinction between a network engineer and a telecom engineer?
⚫ A network engineer is primarily involved with networks and internal network media, while a telecom engineer is primarily involved with networks and external (carrier) network media.
⚪ A network engineer is primarily involved with networks and external (carrier) network media, while a telecom engineer is primarily involved with networks and internal network media.
⚪ A network engineer is primarily involved with layer 3 protocols and above, while a telecom engineer is primarily involved with layer 1 and layer 2 protocols.
⚪ There is no distinction, as both are involved in all aspects of an organization’s networks.
17. An organization that is a U.S. public company is redesigning its access management and access review controls. What is the best role for internal audit in this redesign effort?
⚪ Develop procedures
⚪ Design controls
⚫ Provide feedback on control design
⚪ Develop controls and procedures
18. A security operations manager is proposing that engineers who design and manage information systems play a role in monitoring those systems. Is design and management compatible with monitoring? Why or why not?
⚪ Personnel who design and manage systems should not perform a monitoring role because this is a conflict of interest.
⚫ Personnel who design and manage systems will be more familiar with the reasons and steps to take when alerts are generated.
⚪ Personnel who design and manage systems will not be familiar with response procedures when alerts are generated.
⚪ Personnel who design and manage systems are not permitted access to production environments and should not perform monitoring.
19. What is the purpose of metrics in an information security program?
⚫ To measure the performance and effectiveness of security controls
⚪ To measure the likelihood of an attack on the organization
⚪ To predict the likelihood of an attack on an organization
⚪ To predict the method of an attack on an organization
20. Which security metric is best considered a leading indicator of an attack?
⚪ Number of firewall rules triggered
⚪ Number of security awareness training sessions completed
⚪ Percentage of systems scanned
⚫ Mean time to apply security patches
 ){kind=link}
0 Komentar