Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 65)

Page 65 of 430
PDF with 1716 Questions

Which of the following would help management determine the resources needed to mitigate a risk to the organization?

  1. Risk analysis process
  2. Business impact analysis (BIA)
  3. Risk management balanced scorecard
  4. Risk-based audit program

Answer(s): B

Explanation:

The business impact analysis (BIA) determines the possible outcome of a risk and is essential to determine the appropriate cost of control. The risk analysis process provides comprehensive data, but does not determine definite resources to mitigate the risk as does the BIA. The risk management balanced scorecard is a measuring tool for goal attainment. A risk-based audit program is used to focus the audit process on the areas of greatest importance to the organization.



A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this decision is that:

  1. there are sufficient safeguards in place to prevent this risk from happening.
  2. the needed countermeasure is too complicated to deploy.
  3. the cost of countermeasure outweighs the value of the asset and potential loss.
  4. The likelihood of the risk occurring is unknown.

Answer(s): C

Explanation:

An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted.



Which would be one of the BEST metrics an information security manager can employ to effectively evaluate the results of a security program?

  1. Number of controls implemented
  2. Percent of control objectives accomplished
  3. Percent of compliance with the security policy
  4. Reduction in the number of reported security incidents

Answer(s): B

Explanation:

Control objectives are directly related to business objectives; therefore, they would be the best metrics. Number of controls implemented does not have a direct relationship with the results of a security program. Percentage of compliance with the security policy and reduction in the number of security incidents are not as broad as choice B.



Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a large, multinational enterprise?

  1. Strategic business plan
  2. Upcoming financial results
  3. Customer personal information
  4. Previous financial results

Answer(s): D

Explanation:

Previous financial results are public; all of the other choices are private information and should only be accessed by authorized entities.



Viewing page 65 of 430
Viewing questions 257 - 260 out of 1716 questions



Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts