Free CISM Braindumps

Privacy policies must contain notifications and opt-out provisions: they are a high-level
management statement of direction. They do not necessarily address warranties, liabilities or
geographic coverage, which are more specific.
The cost of implementing a security control should not exceed the:

A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs.
Answer(s): C
The cost of implementing security controls should not exceed the worth of the asset. Annualized
loss expectancy represents the losses drat are expected to happen during a single calendar
year. A security mechanism may cost more than this amount (or the cost of a single incident)
and stil be considered cost effective. Opportunity costs relate to revenue lost by forgoing the
acquisition of an item or the making of a business decision.
When a security standard conflicts with a business objective, the situation should be resolved

A. changing the security standard.
B. changing the business objective.
C. performing a risk analysis.
D. authorizing a risk acceptance.
Answer(s): C
Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or
disallowing an exception to the standard. It is highly improbable that a business objective could
be changed to accommodate a security standard, while risk acceptance* is a process that
derives from the risk analysis.
Minimum standards for securing the technical infrastructure should be defined in a security:

A. strategy.
B. guidelines.
C. model.
D. architecture.
Answer(s): D
Minimum standards for securing the technical infrastructure should be defined in a security
architecture document. This document defines how components are secured and the security

Get The Premium Version
 Test Questions PDF from

 Test Questions PDF from