Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 72)

Page 72 of 430
PDF with 1716 Questions

One way to determine control effectiveness is by determining:

  1. whether it is preventive, detective or compensatory.
  2. the capability of providing notification of failure.
  3. the test results of intended objectives.
  4. the evaluation and analysis of reliability.

Answer(s): C

Explanation:

Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended. The type of control is not relevant, and notification of failure is not determinative of control strength. Reliability is not an indication of control strength; weak controls can be highly reliable, even if they are ineffective controls.



What does a network vulnerability assessment intend to identify?

  1. 0-day vulnerabilities
  2. Malicious software and spyware
  3. Security design flaws
  4. Misconfiguration and missing updates

Answer(s): D

Explanation:

A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates. 0-day vulnerabilities by definition are not previously known and therefore are undetectable. Malicious software and spyware are normally addressed through antivirus and antispyware policies. Security design flaws require a deeper level of analysis.



Who is responsible for ensuring that information is classified?

  1. Senior management
  2. Security manager
  3. Data owner
  4. Custodian

Answer(s): C

Explanation:

The data owner is responsible for applying the proper classification to the data. Senior management is ultimately responsible for the organization. The security officer is responsible for applying security protection relative to the level of classification specified by the owner. The technology group is delegated the custody of the data by the data owner, but the group does not classify the information.



After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:

  1. transferred.
  2. treated.
  3. accepted.
  4. terminated.

Answer(s): C

Explanation:

When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts