Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 71)

Page 71 of 430
PDF with 1716 Questions

The BEST strategy for risk management is to:

  1. achieve a balance between risk and organizational goals.
  2. reduce risk to an acceptable level.
  3. ensure that policy development properly considers organizational risks.
  4. ensure that all unmitigated risks are accepted by management.

Answer(s): B

Explanation:

The best strategy for risk management is to reduce risk to an acceptable level, as this will take into account the organization's appetite for risk and the fact that it would not be practical to eliminate all risk. Achieving balance between risk and organizational goals is not always practical. Policy development must consider organizational risks as well as business objectives. It may be prudent to ensure that management understands and acceptsrisks that it is not willing to mitigate, but that is a practice and is not sufficient to l>e considered a strategy.



Which of the following would be the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?

  1. Disclosure of personal information
  2. Sufficient coverage of the insurance policy for accidental losses
  3. Intrinsic value of the data stored on the equipment
  4. Replacement cost of the equipment

Answer(s): C

Explanation:

When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an organization must develop a clear policy as to what information should be kept on the equipment and for what purpose. Personal information is not defined in the question as the data that were lost. Insurance may be a relatively smaller issue as compared with information theft or opportunity loss, although insurance is also an important factor for a successful business. Cost of equipment would be a less important issue as compared with other choices.



An organization has to comply with recently published industry regulatory requirements — compliance that potentially has high implementation costs. What should the information security manager do FIRST?

  1. Implement a security committee.
  2. Perform a gap analysis.
  3. Implement compensating controls.
  4. Demand immediate compliance.

Answer(s): B

Explanation:

Since they are regulatory requirements, a gap analysis would be the first step to determine the level of compliance already in place. Implementing a security committee or compensating controls would not be the first step. Demanding immediate compliance would not assess the situation.



Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

  1. Annual loss expectancy (ALE) of incidents
  2. Frequency of incidents
  3. Total cost of ownership (TCO)
  4. Approved budget for the project

Answer(s): C

Explanation:

The total cost of ownership (TCO) would be the most relevant piece of information in that it would establish a cost baseline and it must be considered for the full life cycle of the control. Annual loss expectancy (ALE) and the frequency of incidents could help measure the benefit, but would have more of an indirect relationship as not all incidents may be mitigated by implementing a two-factor authentication system. The approved budget for the project may have no bearing on what the project may actually cost.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts