Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 69)

Page 69 of 430
PDF with 1716 Questions

A company's mail server allows anonymous file transfer protocol (FTP) access which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?

  1. A penetration test
  2. A security baseline review
  3. A risk assessment
  4. A business impact analysis (BIA)

Answer(s): C

Explanation:

A risk assessment will identify- the business impact of such vulnerability being exploited and is, thus, the
correct process. A penetration test or a security baseline review may identify the vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the impact of the loss of the mail server.



Which of the following measures would be MOST effective against insider threats to confidential information?

  1. Role-based access control
  2. Audit trail monitoring
  3. Privacy policy
  4. Defense-in-depth

Answer(s): A

Explanation:

Role-based access control provides access according to business needs; therefore, it reduces unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective control, which is 'after the fact.' Privacy policy is not relevant to this risk. Defense-in-depth primarily focuses on external threats



Because of its importance to the business, an organization wants to quickly implement a technical solution which deviates from the company's policies. An information security manager should:

  1. conduct a risk assessment and allow or disallow based on the outcome.
  2. recommend a risk assessment and implementation only if the residual risks are accepted.
  3. recommend against implementation because it violates the company's policies.
  4. recommend revision of current policy.

Answer(s): B

Explanation:

Whenever the company's policies cannot be followed, a risk assessment should be conducted to clarify the risks. It is then up to management to accept the risks or to mitigate them. Management determines the level of risk they are willing to take. Recommending revision of current policy should not be triggered by a single request.



After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:

  1. increase its customer awareness efforts in those regions.
  2. implement monitoring techniques to detect and react to potential fraud.
  3. outsource credit card processing to a third party.
  4. make the customer liable for losses if they fail to follow the bank's advice.

Answer(s): B

Explanation:

While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While making the customer liable for losses is a possible approach, nevertheless, the bank needs to be seen to be proactive in managing its risks.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts