Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 76)

Page 76 of 430
PDF with 1716 Questions

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?

  1. Manager
  2. Custodian
  3. User
  4. Owner

Answer(s): D

Explanation:

Although the information owner may be in a management position and is also considered a user, the information owner role has the responsibility for determining information classification levels. Management is responsible for higher-level issues such as providing and approving budget, supporting activities, etc. The information custodian is responsible for day-to-day security tasks such as protecting information, backing up information, etc. Users are the lowest level. They use the data, but do not classify the data. The owner classifies the data.



The PRIMARY reason for assigning classes of sensitivity and criticality to information resources is to provide a basis for:

  1. determining the scope for inclusion in an information security program.
  2. defining the level of access controls.
  3. justifying costs for information resources.
  4. determining the overall budget of an information security program.

Answer(s): B

Explanation:

The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program and has only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality contributes to, but does not decide, the overall budget of the information security program.



An organization is already certified to an international security standard. Which mechanism would BEST help to further align the organization with other data security regulatory requirements as per new business needs?

  1. Key performance indicators (KPIs)
  2. Business impact analysis (BIA)
  3. Gap analysis
  4. Technical vulnerability assessment

Answer(s): C

Explanation:

Gap analysis would help identify the actual gaps between the desired state and the current implementation of information security management. BIA is primarily used for business continuity planning. Technical vulnerability assessment is used for detailed assessment of technical controls, which would come later in the process and would not provide complete information in order to identify gaps.



When performing a qualitative risk analysis, which of the following will BEST produce reliable results?

  1. Estimated productivity losses
  2. Possible scenarios with threats and impacts
  3. Value of information assets
  4. Vulnerability assessment

Answer(s): B

Explanation:

Listing all possible scenarios that could occur, along with threats and impacts, will better frame the range of risks and facilitate a more informed discussion and decision. Estimated productivity losses, value of information assets and vulnerability assessments would not be sufficient on their own.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts