CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free CISM Exam Braindumps (page: 5)

Page 4 of 430
PDF with 1716 Questions

The cost of implementing a security control should not exceed the:

  1. annualized loss expectancy.
  2. cost of an incident.
  3. asset value.
  4. implementation opportunity costs.

Answer(s): C

Explanation:

The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.



When a security standard conflicts with a business objective, the situation should be resolved by:

  1. changing the security standard.
  2. changing the business objective.
  3. performing a risk analysis.
  4. authorizing a risk acceptance.

Answer(s): C

Explanation:

Conflicts of this type should be based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. It is highly improbable that a business objective could be changed to accommodate a security standard, while risk acceptance* is a process that derives from the risk analysis.



Minimum standards for securing the technical infrastructure should be defined in a security:

  1. strategy.
  2. guidelines.
  3. model.
  4. architecture.

Answer(s): D

Explanation:

Minimum standards for securing the technical infrastructure should be defined in a security architecture document. This document defines how components are secured and the security services that should be in place. A strategy is a broad, high-level document. A guideline is advisory in nature, while a security model shows the relationships between components.



Which of the following is MOST appropriate for inclusion in an information security strategy?

  1. Business controls designated as key controls
  2. Security processes, methods, tools and techniques
  3. Firewall rule sets, network defaults and intrusion detection system (IDS) settings
  4. Budget estimates to acquire specific security tools

Answer(s): B

Explanation:

A set of security objectives, processes, methods, tools and techniques together constitute a security strategy. Although IT and business governance are intertwined, business controls may not be included in a security strategy. Budgets will generally not be included in an information security strategy. Additionally, until information security strategy is formulated and implemented, specific tools will not be identified and specific cost estimates will not be available. Firewall rule sets, network defaults and intrusion detection system (IDS) settings are technical details subject to periodic change, and are not appropriate content for a strategy document.






Post your Comments and Discuss ISACA CISM exam with other Community members:

CISM Exam Discussions & Posts