Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 64)

Page 64 of 430
PDF with 1716 Questions

Which of the following risks is represented in the risk appetite of an organization?

  1. Control
  2. Inherent
  3. Residual
  4. Audit

Answer(s): C

Explanation:

Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the organization's risk appetite and is the amount of residual risk that a business is living with that affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail, and audit risk, which relates only to audit's approach to their work, are not relevant in this context.



Which of the following would a security manager establish to determine the target for restoration of normal processing?

  1. Recover time objective (RTO)
  2. Maximum tolerable outage (MTO)
  3. Recovery point objectives (RPOs)
  4. Services delivery objectives (SDOs)

Answer(s): A

Explanation:

Recovery time objective (RTO) is the length of time from the moment of an interruption until the time the process must be functioning at a service level sufficient to limit financial and operational impacts to anacceptable level. Maximum tolerable outage (MTO) is the maximum time for which an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service required in reduced mode.



A risk management program would be expected to:

  1. remove all inherent risk.
  2. maintain residual risk at an acceptable level.
  3. implement preventive controls for every threat.
  4. reduce control risk to zero.

Answer(s): B

Explanation:

The object of risk management is to ensure that all residual risk is maintained at a level acceptable to the business; it is not intended to remove every identified risk or implement controls for every threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a component of the program but is unlikely to be reduced to zero.



Risk assessment should be built into which of the following systems development phases to ensure that risks are addressed in a development project?

  1. Programming
  2. Specification
  3. User testing
  4. Feasibility

Answer(s): D

Explanation:

Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds. Risk should also be considered in the specification phase where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in choice A or C.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts