CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 31)

Page 30 of 430
PDF with 1716 Questions

The FIRST step in establishing a security governance program is to:

  1. conduct a risk assessment.
  2. conduct a workshop for all end users.
  3. prepare a security budget.
  4. obtain high-level sponsorship.

Answer(s): D

Explanation:

The establishment of a security governance program is possible only with the support and sponsorship of top management since security governance projects are enterprise wide and integrated into business processes. Conducting a risk assessment, conducting a workshop for all end users and preparing a security budget all follow once high-level sponsorship is obtained.



An IS manager has decided to implement a security system to monitor access to the Internet and prevent access to numerous sites. Immediately upon installation, employees Hood the IT helpdesk with complaints of being unable to perform business functions on Internet sites. This is an example of:

  1. conflicting security controls with organizational needs.
  2. strong protection of information resources.
  3. implementing appropriate controls to reduce risk.
  4. proving information security's protective abilities.

Answer(s): A

Explanation:

The needs of the organization were not taken into account, so there is a conflict. This example is not strong protection; it is poorly configured. Implementing appropriate controls to reduce risk is not an appropriate control as it is being used. This does not prove the ability to protect, but proves the ability to interfere with business.



An organization's information security strategy should be based on:

  1. managing risk relative to business objectives.
  2. managing risk to a zero level and minimizing insurance premiums.
  3. avoiding occurrence of risks so that insurance is not required.
  4. transferring most risks to insurers and saving on control costs.

Answer(s): A

Explanation:

Organizations must manage risks to a level that is acceptable for their business model, goals and objectives. A zero-level approach may be costly and not provide the effective benefit of additional revenue to the organization. Long-term maintenance of this approach may not be cost effective. Risks vary as business models, geography, and regulatory- and operational processes change. Insurance covers only a small portion of risks and requires that the organization have certain operational controls in place.



Which of the following should be included in an annual information security budget that is submitted for management approval?

  1. A cost-benefit analysis of budgeted resources
  2. All of the resources that are recommended by the business
  3. Total cost of ownership (TCO)
  4. Baseline comparisons

Answer(s): A

Explanation:

A brief of the benefit of expenditures in the budget helps to convey the context of how the purchases that are being requested meet goals and objectives, which in turn helps build credibility for the information security function or program. s of benefits also help engage senior management in the support of the information security program. While the budget should consider all inputs and recommendations that are received from the business, the budget that is ultimately submitted to management for approval should include only those elements that are intended for purchase. TCO may be requested by management and may be provided in an addendum to a given purchase request, but is not usually included in an annual budget.
Baseline comparisons (cost comparisons with other companies or industries) may be useful in developing a budget or providing justification in an internal review for an individual purchase, but would not be included with a request for budget approval.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts