Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

ISACA CISM Exam Questions
Certified Information Security Manager (Page 58 )

Updated On: 21-Feb-2026
Page 58 of 345
PDF with 1716 Questions

One way to determine control effectiveness is by determining:

  1. whether it is preventive, detective or compensatory.
  2. the capability of providing notification of failure.
  3. the test results of intended objectives.
  4. the evaluation and analysis of reliability.

Answer(s): C

Explanation:

Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended. The type of control is not relevant, and notification of failure is not determinative of control strength. Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.



What does a network vulnerability assessment intend to identify?

  1. 0-day vulnerabilities
  2. Malicious software and spyware
  3. Security design flaws
  4. Misconfiguration and missing updates

Answer(s): D

Explanation:

A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates. 0-day vulnerabilities by definition are not previously known and therefore are undetectable. Malicious software and spyware are normally addressed through antivirus and antispyware policies. Security design flaws require a deeper level of analysis.



Who is responsible for ensuring that information is classified?

  1. Senior management
  2. Security manager
  3. Data owner
  4. Custodian

Answer(s): C

Explanation:

The data owner is responsible for applying the proper classification to the data. Senior management is ultimately responsible for the organization. The security officer is responsible for applying security protection relative to the level of classification specified by the owner. The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.



After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:

  1. transferred.
  2. treated.
  3. accepted.
  4. terminated.

Answer(s): C

Explanation:

When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.



When a significant security breach occurs, what should be reported FIRST to senior management?

  1. A summary of the security logs that illustrates the sequence of events
  2. An of the incident and corrective action taken
  3. An analysis of the impact of similar attacks at other organizations
  4. A business case for implementing stronger logical access controls

Answer(s): B

Explanation:

When reporting an incident to senior management, the initial information to be communicated should include an of what happened and how the breach was resolved. A summary of security logs would be too technical to report to senior management. An analysis of the impact of similar attacks and a business case for improving controls would be desirable; however, these would be communicated later in the process.






Post your Comments and Discuss ISACA CISM exam dumps with other Community members:

Join the CISM Discussion