Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 66)

Page 66 of 430
PDF with 1716 Questions

The PRIMARY purpose of using risk analysis within a security program is to:

  1. justify the security expenditure.
  2. help businesses prioritize the assets to be protected.
  3. inform executive management of residual risk value.
  4. assess exposures and plan remediation.

Answer(s): D

Explanation:

Risk analysis explores the degree to which an asset needs protecting so this can be managed effectively. Risk analysis indirectly supports the security expenditure, but justifying the security expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis, but not its primary purpose. Informing executive management of residual risk value is not directly relevant.



Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

  1. Defining job roles
  2. Performing a risk assessment
  3. Identifying data owners
  4. Establishing data retention policies

Answer(s): C

Explanation:

Identifying the data owners is the first step, and is essential to implementing data classification. Defining job roles is not relevant. Performing a risk assessment is important, but will require the participation of data owners (who must first be identified). Establishing data retention policies may occur after data have been classified.



An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:

  1. mitigate the impact by purchasing insurance.
  2. implement a circuit-level firewall to protect the network.
  3. increase the resiliency of security measures in place.
  4. implement a real-time intrusion detection system.

Answer(s): A

Explanation:

Since residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance.



What mechanisms are used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?

  1. Business impact analyses
  2. Security gap analyses
  3. System performance metrics
  4. Incident response processes

Answer(s): B

Explanation:

A security gap analysis is a process which measures all security controls in place against typically good business practice, and identifies related weaknesses. A business impact analysis is less suited to identify security deficiencies. System performance metrics may indicate security weaknesses, but that is not their primary purpose. Incident response processes exist for cases where security weaknesses are exploited.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts