Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 55 )

Updated On: 21-Feb-2026
Page 55 of 345
PDF with 1716 Questions

Which of the following would BEST address the risk of data leakage?

  1. File backup procedures
  2. Database integrity checks
  3. Acceptable use policies
  4. Incident response procedures

Answer(s): C

Explanation:

Acceptable use policies are the best measure for preventing the unauthorized disclosure of confidential information. The other choices do not address confidentiality of information.



A company recently developed a breakthrough technology. Since this technology could give this company a significant competitive edge, which of the following would FIRST govern how this information is to beprotected?

  1. Access control policy
  2. Data classification policy
  3. Encryption standards
  4. Acceptable use policy

Answer(s): B

Explanation:

Data classification policies define the level of protection to be provided for each category of data. Without this mandated ranking of degree of protection, it is difficult to determine what access controls or levels of encryption should be in place. An acceptable use policy is oriented more toward the end user and, therefore, would not specifically address what controls should be in place to adequately protect information.



What is the BEST technique to determine which security controls to implement with a limited budget?

  1. Risk analysis
  2. Annualized loss expectancy (ALE) calculations
  3. Cost-benefit analysis
  4. Impact analysis

Answer(s): C

Explanation:

Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its benefit and that the best safeguard is provided for the cost of implementation. Risk analysis identifies the risks and suggests appropriate mitigation. The annualized loss expectancy (ALE) is a subset of a cost-benefit analysis. Impact analysis would indicate how much could be lost if a specific threat occurred.



A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?

  1. A penetration test
  2. A security baseline review
  3. A risk assessment
  4. A business impact analysis (BIA)

Answer(s): C

Explanation:

A risk assessment will identify- the business impact of such vulnerability being exploited and is, thus, the
correct process. A penetration test or a security baseline review may identify the vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.



Which of the following measures would be MOST effective against insider threats to confidential information?

  1. Role-based access control
  2. Audit trail monitoring
  3. Privacy policy
  4. Defense-in-depth

Answer(s): A

Explanation:

Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion