[Top Quality] CISM Isaca actual exam 161-170 (Dec 2021)

It is more faster and easier to pass the Isaca CISM exam by using Virtual Isaca Certified Information Security Manager questuins and answers. Immediate access to the Avant-garde CISM Exam and find the same core area CISM questions with professionally verified answers, then PASS your exam with a high score now.

2021 Dec CISM free exam questions

Q161. The PRIMARY objective of a risk management program is to: 

A. minimize inherent risk. 

B. eliminate business risk. 

C. implement effective controls. 

D. minimize residual risk. 



The goal of a risk management program is to ensure that residual risk remains within manageable levels. Management of risk does not always require the removal of inherent risk nor is this always possible. A possible benefit of good risk management is to reduce insurance premiums, but this is not its primary intention. Effective controls are naturally a clear objective of a risk management program, but with the choices given, choice C is an incomplete answer. 

Q162. The cost of implementing a security control should not exceed the: 

A. annualized loss expectancy. 

B. cost of an incident. 

C. asset value. 

D. implementation opportunity costs. 



The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision. 

Q163. How would an information security manager balance the potentially conflicting requirements of an international organization's security standards and local regulation? 

A. Give organization standards preference over local regulations 

B. Follow local regulations only 

C. Make the organization aware of those standards where local regulations causes conflicts 

D. Negotiate a local version of the organization standards 



Adherence to local regulations must always be the priority. Not following local regulations can prove detrimental to the group organization. Following local regulations only is incorrect since there needs to be some recognition of organization requirements. Making an organization aware of standards is a sensible step, but is not a total solution. Negotiating a local version of the organization standards is the most effective compromise in this situation. 

Q164. hen personal information is transmitted across networks, there MUST be adequate controls over: 

A. change management. 

B. privacy protection. 

C. consent to data transfer. 

D. encryption devices. 



Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data. Change management primarily protects only the information, not the privacy of the individuals. Consent is one of the protections that is frequently, but not always, required. Encryption is a method of achieving the actual control, but controls over the devices may not ensure adequate privacy protection and. therefore, is a partial answer. 

Q165. When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set: 

A. to u higher false reject rate (FRR). 

B. to a lower crossover error rate. 

C. to a higher false acceptance rate (FAR). 

D. exactly to the crossover error rate. 



Biometric access control systems are not infallible. When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing access to an invalid user. As the sensitivity of the biometric system is adjusted, these values change inversely. At one point, the two values intersect and are equal. This condition creates the crossover error rate, which is a measure of the system accuracy. In systems where the possibility of false rejects is a problem, it may be necessary' to reduce sensitivity and thereby increase the number of false accepts. This is sometimes referred to as equal error rate (EER). In a very sensitive system, it may be desirable to minimize the number of false accepts—the number of unauthorized persons allowed access. To do this, the system is tuned to be more sensitive, which causes the false rejects the number of authorized persons disallowed access to increase. 

Most up-to-date CISM free practice exam:

Q166. Which of the following is the MOST essential task for a chief information security officer (CISO) to perform? 

A. Update platform-level security settings 

B. Conduct disaster recovery test exercises 

C. Approve access to critical financial systems 

D. Develop an information security strategy paper 



Developing a strategy paper on information security would be the most appropriate. Approving access would be the job of the data owner. Updating platform-level security and conducting recovery test exercises would be less essential since these are administrative tasks. 

Q167. Which of the following guarantees that data in a file have not changed? 

A. Inspecting the modified date of the file 

B. Encrypting the file with symmetric encryption 

C. Using stringent access control to prevent unauthorized access 

D. Creating a hash of the file, then comparing the file hashes 



A hashing algorithm can be used to mathematically ensure that data haven't been changed by hashing a file and comparing the hashes after a suspected change. 

Q168. A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the risk assessment team. The MOST likely reason they made this 

decision is that: 

A. there are sufficient safeguards in place to prevent this risk from happening. 

B. the needed countermeasure is too complicated to deploy. 

C. the cost of countermeasure outweighs the value of the asset and potential loss. 

D. The likelihood of the risk occurring is unknown. 



An organization may decide to live with specific risks because it would cost more to protect themselves than the value of the potential loss. The safeguards need to match the risk level. While countermeasures could be too complicated to deploy, this is not the most compelling reason. It is unlikely that a global financial institution would not be exposed to such attacks and the frequency could not be predicted. 

Q169. To achieve effective strategic alignment of security initiatives, it is important that: 

A. Steering committee leadership be selected by rotation. 

B. Inputs be obtained and consensus achieved between the major organizational units. 

C. The business strategy be updated periodically. 

D. Procedures and standards be approved by all departmental heads. 



It is important to achieve consensus on risks and controls, and obtain inputs from various organizational entities since security needs to be aligned to the needs of the organization. Rotation of steering committee leadership does not help in achieving strategic alignment. Updating business strategy does not lead to strategic alignment of security initiatives. Procedures and standards need not be approved by all departmental heads 

Q170. An information security manager at a global organization has to ensure that the local information security program will initially ensure compliance with the: 

A. corporate data privacy policy. 

B. data privacy policy where data are collected. 

C. data privacy policy of the headquarters' country. 

D. data privacy directive applicable globally. 



As a subsidiary, the local entity will have to comply with the local law for data collected in the country. Senior management will be accountable for this legal compliance. The policy, being internal, cannot supersede the local law. Additionally, with local regulations differing from the country in which the organization is headquartered, it is improbable that a group wide policy will address all the local legal requirements. In case of data collected locally (and potentially transferred to a country with a different data privacy regulation), the local law applies, not the law applicable to the head office. The data privacy laws are country-specific. 

see more CISM dumps