Free CISM Exam Braindumps (page: 23)

Page 22 of 430

The FIRST step in developing an information security management program is to:

  1. identify business risks that affect the organization.
  2. clarify organizational purpose for creating the program.
  3. assign responsibility for the program.
  4. assess adequacy of controls to mitigate business risks.

Answer(s): B

Explanation:

In developing an information security management program, the first step is to clarify the organization's purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.



Which of the following is the MOST important to keep in mind when assessing the value of information?

  1. The potential financial loss
  2. The cost of recreating the information
  3. The cost of insurance coverage
  4. Regulatory requirement

Answer(s): A

Explanation:

The potential for financial loss is always a key factor when assessing the value of information. Choices B, C and D may be contributors, but not the key factor.



What would a security manager PRIMARILY utilize when proposing the implementation of a security solution?

  1. Risk assessment report
  2. Technical evaluation report
  3. Business case
  4. Budgetary requirements

Answer(s): C

Explanation:

The information security manager needs to prioritize the controls based on risk management and the requirements of the organization. The information security manager must look at the costs of the various controls and compare them against the benefit the organization will receive from the security solution. The information security manager needs to have knowledge of the development of business cases to illustrate the costs and benefits of the various controls. All other choices are supplemental.



To justify its ongoing security budget, which of the following would be of MOST use to the information security' department?

  1. Security breach frequency
  2. Annualized loss expectancy (ALE)
  3. Cost-benefit analysis
  4. Peer group comparison

Answer(s): C

Explanation:

Cost-benefit analysis is the legitimate way to justify budget. The frequency of security breaches may assist the argument for budget but is not the key tool; it does not address the impact. Annualized loss expectancy (ALE) does not address the potential benefit of security investment. Peer group comparison would provide a good estimate for the necessary security budget but it would not take into account the specific needs of the organization.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts