Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 70)

Page 70 of 430
PDF with 1716 Questions

The criticality and sensitivity of information assets is determined on the basis of:

  1. threat assessment.
  2. vulnerability assessment.
  3. resource dependency assessment.
  4. impact assessment.

Answer(s): D

Explanation:

The criticality and sensitivity of information assets depends on the impact of the probability of the threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets and the impairment of the value. Threat assessment lists only the threats that the information asset is exposed to. It does not consider the value of the asset and impact of the threat on the value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that can attract threats. It does not consider the value of the asset and the impact of perceived threats on the value. Resource dependency assessment provides process needs but not impact.



Which program element should be implemented FIRST in asset classification and control?

  1. Risk assessment
  2. Classification
  3. Valuation
  4. Risk mitigation

Answer(s): C

Explanation:

Valuation is performed first to identify and understand the assets needing protection. Risk assessment is performed to identify and quantify threats to information assets that are selected by the first step, valuation. Classification and risk mitigation are steps following valuation.



When performing a risk assessment, the MOST important consideration is that:

  1. management supports risk mitigation efforts.
  2. annual loss expectations (ALEs) have been calculated for critical assets.
  3. assets have been identified and appropriately valued.
  4. attack motives, means and opportunities be understood.

Answer(s): C

Explanation:

Identification and valuation of assets provides the basis for risk management efforts as it relates to the criticality and sensitivity of assets. Management support is always important, but is not relevant when determining the proportionality of risk management efforts. ALE calculations are only valid if assets have first been identified and appropriately valued. Motives, means and opportunities should already be factored in as a part of a risk assessment.



The MAIN reason why asset classification is important to a successful information security program is because classification determines:

  1. the priority and extent of risk mitigation efforts.
  2. the amount of insurance needed in case of loss.
  3. the appropriate level of protection to the asset.
  4. how protection levels compare to peer organizations.

Answer(s): C

Explanation:

Protection should be proportional to the value of the asset. Classification is based upon the value of the asset to the organization. The amount of insurance needed in case of loss may not be applicable in each case. Peer organizations may have different classification schemes for their assets.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts