Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 80)

Page 80 of 430
PDF with 1716 Questions

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?

  1. Performing a business impact analysis (BIA)
  2. Considering personal information devices as pan of the security policy
  3. Initiating IT security training and familiarization
  4. Basing the information security infrastructure on risk assessment

Answer(s): D

Explanation:

The information security infrastructure should be based on risk. While considering personal information devices as part of the security policy may be a consideration, it is not the most important requirement. A BIA is typically carried out to prioritize business processes as part of a business continuity plan. Initiating IT security training may not be important for the purpose of the information security infrastructure.



Previously accepted risk should be:

  1. re-assessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.
  2. accepted permanently since management has already spent resources (time and labor) to conclude that the risk level is acceptable.
  3. avoided next time since risk avoidance provides the best protection to the company.
  4. removed from the risk log once it is accepted.

Answer(s): A

Explanation:

Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that have been accepted should be monitored for changing conditions that could alter the original decision.



An information security manager is advised by contacts in law enforcement that there is evidence that his/ her company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:

  1. perform a comprehensive assessment of the organization's exposure to the hacker's techniques.
  2. initiate awareness training to counter social engineering.
  3. immediately advise senior management of the elevated risk.
  4. increase monitoring activities to provide early detection of intrusion.

Answer(s): C

Explanation:

Information about possible significant new risks from credible sources should be provided to managementalong with advice on steps that need to be taken to counter the threat. The security manager should assess the risk, but senior management should be immediately advised. It may be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness training is not current. Monitoring activities should also be increased.



Which of the following steps should be performed FIRST in the risk assessment process?

  1. Staff interviews
  2. Threat identification
  3. Asset identification and valuation
  4. Determination of the likelihood of identified risks

Answer(s): C

Explanation:

The first step in the risk assessment methodology is a system characterization, or identification and valuation, of all of the enterprise's assets to define the boundaries of the assessment. Interviewing is a valuable tool to determine qualitative information about an organization's objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats comes later in the process and should not be performed prior to an inventory since many possible threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in the risk assessment process.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts